Skip to main content
whatsgoingon
Map

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Whats Going On London Ltd, trading as What's Going On (company number 17107610) (“we”, “us”, “our”) collects, uses, stores and protects your personal data when you access or use our website at whatsgoingon.london (the “Service”). We are committed to safeguarding your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data controller

For the purposes of applicable data protection legislation, the data controller is Whats Going On London Ltd (company number 17107610), whose registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. You can contact us at privacy@whatsgoingon.london.

2. Information we collect

2.1 Account information

If you choose to create an account, we collect the personal data you provide during registration, including your email address and display name. Account authentication is facilitated by Supabase, a third-party infrastructure provider.

2.2 Usage data

When you access the Service, we may automatically collect certain technical information, including but not limited to your browser type, device characteristics, pages visited, referring URL, access times and interaction patterns. This data is used solely for the purpose of maintaining, improving and securing the Service.

2.3 Location data

The Service utilises your device's geolocation API to centre the map on your approximate location. This data is processed client-side within your browser and is not transmitted to or stored on our servers. You may decline to grant location access, in which case the map will default to a central London view. No location data is retained by us.

2.4 Bookmarks, saved searches and preferences

If you are signed in, we store your bookmarked events, bookmarked venues, saved search filters and notification preferences so that they persist across sessions. This data is associated with your account and is not shared with third parties.

3. Lawful basis for processing

We process personal data on the following lawful bases:

  • Contractual necessity (Article 6(1)(b)) — processing required to provide the Service and maintain your account
  • Legitimate interests (Article 6(1)(f)) — processing necessary to improve the Service, ensure security, prevent abuse and aggregate publicly available event data, where such interests are not overridden by the rights of data subjects
  • Consent (Article 6(1)(a)) — where you have given explicit consent, such as opting in to email notifications or accepting non-essential cookies

3.1 Event data aggregation

We collect and display publicly available event information (titles, dates, venues, descriptions and images) from third-party platforms and venue websites. We rely on legitimate interests as the lawful basis for this processing. Our legitimate interest is to provide a comprehensive event discovery service for London. We have conducted a balancing assessment and concluded that this processing does not override the rights of event organisers or venue operators because:

  • The information is already published publicly by the data subjects themselves
  • Our use is consistent with the reasonable expectations of event organisers who publish event details for public consumption
  • We provide clear attribution to the original source and link back to the original listing
  • We offer a straightforward content removal process for any party who objects to inclusion
  • Our scrapers identify themselves honestly via User-Agent headers, allowing platforms to block collection if desired

4. How we use your information

We use the information we collect for the following purposes:

  • To provide, operate and maintain the Service
  • To display events relevant to your location and preferences
  • To persist your bookmarks, saved searches and account settings
  • To send you email notifications where you have opted in to receive them
  • To monitor, analyse and improve the performance and reliability of the Service
  • To detect, prevent and address technical issues and security threats
  • To communicate with you regarding your account where necessary

We do not sell, rent or trade your personal data to third parties. We do not use your data for advertising, profiling or automated decision-making.

5. Third-party processors

We engage the following third-party service providers, each of which may process limited personal data in the course of providing their services to us:

  • Supabase — authentication, database hosting and data storage. Processes account credentials and stored user preferences. Privacy Policy
  • Mapbox — interactive map rendering. May collect usage telemetry and set functional cookies. Privacy Policy
  • Vercel — website hosting and content delivery. May collect standard server logs including IP addresses and request metadata. Privacy Policy
  • Anthropic (Claude AI) — used to extract structured event data from venue websites during our automated data collection process. Venue website HTML (which may include publicly available contact information) is sent to Anthropic's API for processing. No user personal data is sent to Anthropic. Privacy Policy
  • Resend — email delivery service used to send weekly digest emails and notifications to users who have opted in. Processes email addresses of subscribed users. Privacy Policy
  • Vercel Analytics & Speed Insights — privacy-friendly web analytics and performance monitoring. Does not use cookies, does not collect personal data and does not track users across sites. Loaded without requiring consent. Privacy Policy

Each processor is contractually required to handle personal data in compliance with applicable data protection legislation and solely in accordance with our instructions. The following table summarises where each processor may store or process data:

  • Supabase — EU (Frankfurt, AWS eu-central-1)
  • Vercel — global edge network; origin functions in US East
  • Mapbox — United States
  • Anthropic — United States
  • Resend — United States
  • Plausible Analytics — European Union

Where data is transferred outside the United Kingdom, appropriate safeguards are in place as described in Section 8 below. If we add or replace a sub-processor, we will update this section accordingly. Material changes to our sub-processor list will be noted in the “last updated” date at the top of this policy.

6. Cookies and local storage

The Service uses a limited number of cookies and local storage mechanisms:

  • Authentication cookies — set by Supabase to maintain your authenticated session. These are strictly necessary for login functionality.
  • Map cookies — Mapbox may set cookies for tile caching and performance analytics.
  • Local storage — we store certain non-personal preferences (such as your last map position and dark mode setting) in your browser's local storage.

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies, does not collect personal data and does not track users across sites. Plausible is loaded only if you accept cookies via our consent banner. We do not use advertising cookies, social media tracking pixels or third-party behavioural analytics. You may control cookies through your browser settings, although disabling strictly necessary cookies may impair the functionality of the Service.

7. Data retention

We apply the following retention periods:

  • Account data (email, display name, preferences) — retained for as long as your account remains active. Upon account deletion, all personal data is permanently removed within 30 days.
  • Bookmarks, saved searches and followed venues — retained while your account is active; deleted when your account is deleted.
  • Event view counts — aggregated daily counts are retained indefinitely but contain no personally identifiable information (no IP addresses or user IDs are stored).
  • Event listings — past events are archived and removed from the active database on a rolling basis (typically within 30 days of the event date). Archived event data does not contain personal information.
  • Server logs — standard access logs (including IP addresses) are retained by our hosting provider Vercel in accordance with their own retention policy, typically up to 30 days.
  • Analytics data — Plausible Analytics does not collect personal data or use cookies. Aggregated analytics data is retained indefinitely.

8. International data transfers

Some of our third-party processors (Vercel, Mapbox, Anthropic and Resend) are based in the United States, and your data may be transferred to and processed in the US or other countries outside the United Kingdom. Where such transfers occur, we rely on one or more of the following safeguards as required by UK GDPR Articles 44–49:

  • UK adequacy regulations — transfers to countries or territories that the UK Secretary of State has determined provide an adequate level of data protection
  • International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses — contractual safeguards approved by the ICO that bind the recipient to protect your data to UK standards
  • Processor terms — each provider's Data Processing Agreement includes commitments to protect data in transit and at rest, limit access to authorised personnel and notify us of government access requests

Our primary database (Supabase) is hosted in the EU (Frankfurt), which benefits from a UK adequacy decision. No user personal data is sent to Anthropic — only publicly available venue website HTML is processed.

9. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — to obtain a copy of the personal data we hold about you
  • Right to rectification — to request correction of any inaccurate or incomplete data
  • Right to erasure — to request deletion of your personal data, subject to any legal obligations requiring retention
  • Right to restrict processing — to request that we limit the processing of your data in certain circumstances
  • Right to data portability — to receive your data in a structured, commonly used and machine-readable format
  • Right to object — to object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@whatsgoingon.london. We will respond to your request within one calendar month.

If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include encrypted connections (TLS/HTTPS), secure authentication tokens, access-controlled database systems and regular security reviews. However, no method of electronic transmission or storage is wholly secure, and we cannot guarantee absolute security.

11. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, informing you of the nature of the breach, the likely consequences and the measures taken or proposed to address it.

12. Children's privacy

The Service is not directed at individuals under the age of 13. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us immediately and we will take steps to delete such data.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Any material changes will be posted on this page with a revised effective date. Your continued use of the Service following the publication of changes constitutes acceptance of the updated policy.

14. Contact

For any questions, concerns or requests relating to this Privacy Policy or the processing of your personal data, please contact us at privacy@whatsgoingon.london.