Last updated: March 2026
This Privacy Policy describes how QUp ("we", "us", or "our") collects, uses, and protects your personal data when you use the QUp mobile application ("App") and our website at www.qup-live.com ("Website").
1. Data Controller
Amin Jaoui
Mitterweg 154
6020 Innsbruck, Austria
Email: queueuplive@gmail.com
Given the scale of our operations, a Data Protection Officer has not been appointed. For privacy inquiries, contact queueuplive@gmail.com.
2. What Data We Collect
We collect the following categories of personal data:
- Account Information: Username, first name, last name, email address, date of birth, gender (optional), profile picture
- Authentication Data: Encrypted password (email signup), OAuth tokens (Google/Apple sign-in)
- Location Data: GPS coordinates (when you grant permission) to show nearby venues and enable queue reporting
- Usage Data: Queue reports, venue interactions, contributions, points, streaks, badges, and leaderboard rankings
- Accessibility Preferences: Any accessibility needs you choose to share (wheelchair accessible parking, entrance, restroom, seating)
- Device Information: Push notification token (Expo), device type, operating system
- Subscription Data: Subscription status and purchase history (processed by RevenueCat)
- Analytics Data: App usage patterns and session data (collected by Firebase Analytics), crash reports, error tracking, and session replays (collected by Sentry)
- Advertising Data: Device identifiers and ad interaction data (collected by Google AdMob) when you consent to personalized advertising
- User-Generated Photos: Queue report photos, venue photos, and profile pictures that you upload. These images are processed by AI systems for analysis and content moderation as described in Section 6 below.
3. Purpose of Processing
We process your personal data for the following purposes:
- To create and manage your user account
- To provide queue and crowd reporting features
- To analyze queue report photos using artificial intelligence to estimate wait times and crowd levels
- To automatically moderate uploaded images for policy violations and prohibited content
- To display nearby venues based on your location
- To operate gamification features (points, levels, streaks, badges, leaderboards)
- To send push notifications about queue updates and achievements
- To manage subscriptions and premium features
- To personalize your experience based on accessibility preferences
- To display relevant advertisements (with your consent)
- To improve and maintain the App
4. Legal Basis for Processing
We process your data based on the following legal grounds under the GDPR:
- Contract Performance (Art. 6(1)(b) GDPR): Processing necessary for providing QUp services
- Consent (Art. 6(1)(a) GDPR): Location data, push notifications, optional profile data, personalized advertising
- Explicit Consent (Art. 9(2)(a) GDPR): Accessibility preferences, which may relate to health data and are only processed with your explicit consent. You can withdraw this consent at any time by removing your accessibility preferences in the App.
- Legitimate Interest (Art. 6(1)(f) GDPR): Improving our services, ensuring security, and automated content moderation to maintain a safe platform
5. Third-Party Services
We use the following third-party services:
- Firebase (Google): Authentication, database (Firestore), cloud functions, storage, and analytics. Data may be transferred to the US under Google's Standard Contractual Clauses.
- Sentry: Crash reporting, error tracking, and session analytics. Data is processed in the EU (Germany) via Sentry's EU data residency.
- Google AdMob: Advertising. Collects device identifiers and usage data for ad delivery. Personalized ads are only shown with your consent, which you can manage in the App under:
Profile → Settings → Privacy → Advertising. - Discord: Internal moderation tools. Bug reports and content violation reports may be forwarded to Discord for team review. No personal user data is shared.
- Expo: Push notifications and app updates
- RevenueCat: Subscription management and in-app purchase processing
- Google Maps Platform: Venue location and mapping services
- Apple/Google Sign-In: OAuth authentication providers
- DiceBear: Default avatar generation
- OpenStreetMap (OSM): Venue data (names, locations, categories) sourced from the OpenStreetMap database, licensed under the Open Database License (ODbL). No personal data is collected through OSM.
- Vercel Analytics & Speed Insights: Anonymous, aggregated website usage data. These services do not use cookies and do not collect personal data or IP addresses.
- Google AI (Gemini): Queue report photos are analyzed by Google Gemini 2.5 Flash (via Vertex AI, europe-west1 region) to estimate wait times and crowd levels. Photos are also analyzed for content policy violations. Images are sent as ephemeral base64 data and are not stored by Google after processing. Google processes this data under their Data Processing Addendum. Your data is not used by Google to train or improve AI models.
- Google Cloud Vision API: All uploaded images (queue photos, venue photos, profile pictures) are automatically scanned using Google Cloud Vision SafeSearch detection for adult, violent, and racy content. Processing occurs in the europe-west1 region. Images are processed ephemerally and are not retained by Google.
6. AI Processing and Automated Analysis
QUp uses artificial intelligence to enhance queue reporting accuracy and to maintain a safe platform. The following AI processing occurs:
Queue Photo Analysis
When you submit a queue report with a photo, the image is sent to Google Gemini 2.5 Flash (hosted in the europe-west1 region via Google Vertex AI) to:
- Validate whether the photo shows a queue or venue-related scene
- Estimate the crowd level (empty, light, moderate, busy, or packed)
- Estimate the wait time in minutes
These AI suggestions are presented to you as recommendations only. You can accept, modify, or ignore them before submitting your report. AI suggestions do not override your input.
Automated Content Moderation
All images uploaded to QUp (queue report photos, venue photos, and profile pictures) are automatically analyzed for prohibited content using:
- Google Cloud Vision API (SafeSearch): Detects adult, violent, and racy content
- Google Gemini 2.5 Flash: Detects weapons, drugs, hate symbols, self-harm imagery, and other policy violations
Content that is flagged by automated moderation is reviewed and may be removed. Moderation results (flag status and categories) are stored in our database. The images themselves are not stored by Google's AI services after processing.
No AI Training
Your photos and data are never used to train, fine-tune, or improve any AI or machine learning models. All AI processing is strictly for the purposes described above.
AI Data Retention
Photos sent to Google AI services (Gemini and Cloud Vision) are processed ephemerally as base64-encoded data and are not stored by Google after processing. The AI-generated results (such as suggested crowd level, wait time, moderation flags, and confidence scores) are stored in our Firestore database as part of your report or content record and are retained in accordance with Section 7 below.
7. Data Retention
We retain your personal data for as long as your account is active. If you delete your account, your data will be permanently removed from our systems within 30 days, except where we are legally required to retain it (e.g., transaction records). Anonymized and aggregated data (such as venue queue statistics) may be retained indefinitely.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate data via your profile settings
- Right to Erasure: Delete your account and all associated data. You can do this directly in the App under:
Profile → Settings → Danger Zone → Delete Account,
or by contacting us at queueuplive@gmail.com. - Right to Restriction: Restrict processing of your data
- Right to Data Portability: Receive your data in a structured, machine-readable format (JSON). You can request a data export by contacting us.
- Right to Object: Object to processing based on legitimate interest
- Right to Withdraw Consent: Withdraw consent at any time.
To disable location: Profile → Settings → Preferences → Location Services.
To disable notifications: Profile → Settings → Account → Notifications. - Rights Related to Automated Processing: You have the right to obtain human intervention in automated content moderation decisions, to express your point of view, and to contest the decision. Contact us at queueuplive@gmail.com to request a human review.
To exercise any of these rights, contact us at queueuplive@gmail.com. We will respond to your request within one month of receipt. This period may be extended by two further months for complex requests, in which case we will inform you.
9. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
- Right to Delete: Request deletion of your personal information, subject to certain exceptions
- Right to Opt-Out of Sale: We do not sell your personal information to third parties
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise these rights, contact us at queueuplive@gmail.com.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS/SSL), secure authentication via Firebase, and access controls. However, no system is 100% secure, and we cannot guarantee the absolute security of your data.
11. Automated Decision-Making
In accordance with GDPR Article 22, we inform you about automated decision-making in our services:
- Content Moderation: Uploaded images are automatically analyzed for policy violations. Content flagged by our AI systems may be removed or restricted. These automated decisions are based on our legitimate interest in maintaining a safe platform (Art. 6(1)(f) GDPR). You can contest any automated moderation decision by contacting us at queueuplive@gmail.com, and a human review will be conducted.
- Queue Analysis Suggestions: AI-generated wait time and crowd level estimates are provided as suggestions only. You always retain full control to accept, modify, or reject these suggestions before submitting a report. This does not constitute automated decision-making under Article 22 as it produces no legal or similarly significant effects.
We do not use profiling that produces legal or similarly significant effects on you.
12. Children's Privacy
QUp is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will take steps to delete such information.
13. International Data Transfers
Your data may be processed outside the European Economic Area (EEA) by our third-party service providers (primarily Google/Firebase in the US). Google LLC is certified under the EU-U.S. Data Privacy Framework, which has been recognized as providing an adequate level of data protection by the European Commission. Transfers are additionally protected by Standard Contractual Clauses and other appropriate safeguards as required by the GDPR.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via the App or email at least 30 days before they take effect. Where changes affect processing based on your consent, we will ask for your renewed consent before applying them.
15. Data Attribution
QUp uses venue data from OpenStreetMap, licensed under the Open Database License (ODbL). In compliance with the ODbL share-alike clause, we make our modifications to this data publicly available. You can view and download this data on our Data Attribution page.