Terms of use & privacy policy for Go.Do.

Valid from: 19 maj 2026
Latest update: 7 juli 2026

This Terms of Use & Privacy Policy describes how Go.Do. AB ("Go.Do.", "we", "us", "our") collects, uses, and protects your personal data when you use the Go.Do. mobile application (iOS and Android, package nu.godo.app), the Go.Do. organiser website at godo-dev.nu, and our backend services (together, the "Service").

Go.Do. AB is the data controller for the personal data described in this policy, in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Swedish Data Protection Act (2018:218).

It also regulates what type of information you are allowed to publish to our app through this form.

1. Who we are‍ ‍

Go.Do. AB
Sweden
Registered address: Kolonigatan 8, 26253 Ängelholm
Organisation number: 559516-8906
Contact for privacy matters: Contact@godo.nu‍ ‍

We have appointed a privacy contact who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact us at the email above.

2. What data we collect‍ ‍

We collect only the data we need to operate the Service. Specifically:

2.1 Account information‍ ‍

  • Email address: Required to create an account, log in, and receive essential service emails (password reset, account notices).

  • Name: Required at registration and displayed in your profile.

  • Password (if you registered with email and password): Stored as a salted hash using HMAC-SHA512 with a per-user random salt. We never store passwords in plain text and we never see your password. Accounts created via social login only (Apple or Google) have no password stored at all.

  • Role: Whether you are a regular app user, a Go.Do.More subscriber, an event organiser, or an administrator. This determines what features you can access.

2.2 Authentication providers (social login)‍ ‍

If you sign in with Google or Apple, we receive a stable identifier and your email address from that provider. We do not receive your social-network password.

  • Google Sign-In via the official Google Identity Services library (mobile: @react-native-google-signin/google-signin).

  • Apple Sign in with Apple via expo-apple-authentication. Apple may return a private relay email; we treat it the same way as a normal email.

2.3 Location data (optional)‍ ‍

With your permission, the mobile app may use your approximate or precise location to find events near you and to show your position on the in-app map. You can grant or deny this permission at any time in your device settings. The Service still works without location access, you just need to pick a city manually.

2.4 Calendar access (optional)‍ ‍

With your permission, the mobile app can read and write entries in your device calendar, so you can add an event you are interested in to your own calendar with one tap. We do not transmit your calendar contents to our servers; the read/write happens locally on your device.

2.5 In-app purchases and subscriptions‍ ‍

Go.Do.More features are billed through Apple App Store (in-app purchases) or Google Play Billing. Apple and Google process your payment and we never see your card number or full payment details. We receive only:

  • A receipt or purchase token that we validate server-side to confirm the purchase.

  • The product identifier you purchased (e.g. premium tier).

  • Purchase and renewal status, so we can grant or revoke entitlements.

2.6 Authentication tokens stored on your device‍ ‍

After login, we store a short-lived access token (appr. 5 minutes) and a refresh token in your device's secure storage (iOS Keychain / Android Keystore, via expo-secure-store). These tokens stay on your device and are sent only to our API when you make a request.

2.7 Usage data‍ ‍

We record, in general terms, how the Service is used: which event listings are viewed, which categories and filters are selected, and similar product analytics. This data is used to improve the Service.

3. How we use your data

4. Legal bases (GDPR Article 6)

  • Performance of a contract (Art. 6(1)(b)): tT create your account, deliver the Service you signed up for, and process purchases.

  • Legitimate interests (Art. 6(1)(f)): To operate, secure, and improve the Service (e.g. fraud prevention, basic product analytics). We balance this against your rights and freedoms.

  • Consent (Art. 6(1)(a)): For optional features that require your permission, such as location and calendar access. You may withdraw consent at any time, with no effect on the lawfulness of processing before withdrawal.

  • Legal obligation (Art. 6(1)(c)): Where we must retain records (for example, accounting records for purchases, under Swedish book keeping law).

5. Sharing and third-party processors

We do not sell your personal data. We share data only with the service providers ("processors") we need to run the Service. Each processor handles data on our instructions under a data processing agreement.

6. International transactions‍ ‍

Most of your personal data is processed on servers located in Sweden (EU/EEA). However, certain processors (notably Apple, Google, Resend, and Expo) may transfer or access personal data outside the EEA – typically to the United States. Where this happens, we rely on the European Commission's Standard Contractual Clauses (SCCs) and any additional safeguards required under Articles 44–49 of the GDPR.

7. Data retention‍ ‍

  • Active accounts: Kept for as long as your account exists.

  • Deleted accounts: Personal data is deleted or anonymised within 30 days after you delete your account, except where we are required by law to retain certain records.

  • Purchase / billing records: Retained for 7 years to comply with the Swedish Book keeping Act (Bokföringslagen 1999:1078).

  • Server logs: Retained for 90 days for security and debugging.

  • Backups: Encrypted backups rotate out within 30 days.  

8. Your rights‍ ‍

Under the GDPR (Articles 15–22), you have the right to:

  • Access the personal data we hold about you (Art. 15).

  • Rectify data that is inaccurate or incomplete (Art. 16).

  • Erase your data ("right to be forgotten", Art. 17). You can do this yourself in the app – see Section 9 below.

  • Restrict processing of your data (Art. 18).

  • Data portability: Receive your data in a machine-readable format (Art. 20).

  • Object to processing based on legitimate interests (Art. 21).

  • Withdraw consent at any time, where processing is based on consent (Art. 7(3)).

  • Lodge a complaint with the Swedish supervisory authority,  Integritetsskyddsmyndigheten (IMY, imy.se) or with the supervisory authority in your EU country of residence.

To exercise any of these rights, email us at contact@godo.nu. We will respond within one month (with a possible two-month extension for complex requests, as permitted by GDPR Art. 12(3)).

9. Account deletion‍ ‍

You can delete your Go.Do. account at any time, directly inside the mobile app:

  1. Open the Go.Do. app and sign in.

  2. Go to the Profile tab.

  3. Tap Delete Account and confirm.

Once you confirm, your account is scheduled for deletion. Personal data is removed or anonymised in accordance with the retention rules in Section 7. Some records (notably purchase / accounting records) must be kept by law and will be retained for the period required, then deleted.

If you cannot access the app for any reason, email contact@godo.nu from the email address linked to your account and we will process the deletion for you.

10. Children's privacy‍ ‍

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from a child under 16. If you are a parent or guardian and you believe your child has provided us with personal data, please email us on Contact@godo.nu and we will delete the data.

11. Security‍ ‍

  • All communication with our API is encrypted over HTTPS (TLS).

  • Passwords are stored as HMAC-SHA512 hashes with a unique salt per user. We never log or store plain-text passwords.

  • In-app purchase receipts are validated server-side against Apple and Google. Clients cannot grant themselves access to paid features.

  • Access tokens on your device are stored in the operating system's secure storage (iOS Keychain / Android Keystore).

  • We restrict internal access to personal data on a least-privilege basis and review access regularly.

12. Forbidden content

Users of our Service are strictly prohibited from creating, uploading, submitting, transmitting, or otherwise making available any content that is racist, xenophobic, misogynistic, homophobic, discriminatory, hateful, harassing, defamatory, threatening, violent, harmful, abusive, obscene, or otherwise offensive or insulting. This includes, without limitation, content targeting individuals or groups based on race, ethnicity, nationality, gender, gender identity, sexual orientation, religion, disability, or any other protected characteristic. Go.Do. reserves the right to immediately remove any such content, suspend or terminate user accounts, and take any additional action deemed appropriate, including reporting violations to relevant authorities and pursuing legal action. By using Go.Do., the user agrees to comply fully with this provision and acknowledges that any breach may result in serious consequences.

13. Changes to this policy‍ ‍

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you in the app or by email. Continuing to use the Service after a change means you accept the updated policy. We encourage you to review this page periodically.

14. Contact

For any privacy-related question or to exercise a right above, contact: Go.Do. AB
Laxgatan 6
26237 Ängelholm
Email: contact@godo.nu