Privacy
Andreas is a going-out app for Amsterdam. Below: what we store about you, why, where it lives, how long we keep it and how to remove it.
What we store about you
- Phone number — required, because it's your login. We send one SMS-code per login attempt and verify it.
- Name and handle — whatever you set in the app. Friends can see this.
- Avatar — if you upload one. Optional.
- Preferences — night/day mode, whether your saves are visible to friends, whether you're discoverable in search.
- Saves, friendships, invites, followed venues and series — if you create them.
- Sessions — a token on your device that keeps you logged in. Valid for 180 days, rolling.
- Server logs — IP address + user agent on each API call, so we can detect abuse. Max 30 days.
Device permissions
- Camera — only active when you scan a friend's QR code via the friends feature. The camera stream is processed locally on your device to decode the code; no photos or imagery is sent to our servers.
- Photo library — only when you pick an avatar photo. The chosen photo is uploaded to Bunny (see sub-processors); other photos remain on your device.
- Notifications — only when you explicitly opt in. Used for reminders of saved events and updates from venues you follow.
What we don't store
- No passwords — Andreas doesn't have them.
- No date of birth, address, gender — never asked.
- No location. Distance is calculated on your device; nothing leaves the phone.
- No tracking pixels, no advertising IDs, no analytics SDKs, no Facebook integration.
Why we store it (legal basis)
- Performance of contract (article 6.1.b GDPR) — login, profile, saves and friend network: without these the app doesn't function.
- Legitimate interest (article 6.1.f GDPR) — server logs for abuse detection, and brief retention of OTP-codes during a login attempt.
Where it lives
Andreas uses the following sub-processors, all within the European Economic Area:
| Component | Provider | Location |
|---|---|---|
| Database | Neon Inc. | Frankfurt (Germany) |
| Server hosting | Fly.io Inc. | Amsterdam |
| Image storage (avatars, photos) | BunnyWay d.o.o. | Ljubljana (Slovenia) |
| SMS / login code | Bird B.V. (formerly MessageBird) | Amsterdam |
| App distribution | Apple Distribution International | Ireland (App Store publication) |
With Fly.io and Neon (US companies with EU regions) we've signed a data-processing agreement based on the Standard Contractual Clauses.
How long we keep it
- Account data — until you delete your account, then removed from live systems within 30 days.
- Sessions — 180 days after last activity.
- OTP codes — minutes only, as long as the SMS code is valid.
- Server logs — max 30 days.
- Backups — encrypted, with the same rolling expiry.
Your rights
Under the GDPR you have the right to access, rectify, erase, restrict and port your personal data. Exercise your rights by emailing wij@andreas.amsterdam. We respond within four weeks.
Not satisfied? You can file a complaint with the Dutch Data Protection Authority.
Changes
When we update this text we mark it with a new date at the top. Material changes (new processor, different purpose) are also announced in the app.
Contact
Email: wij@andreas.amsterdam.