Data Protection Policy (UK DPA 2018 / EU GDPR)
Last updated May 2026
Principles
We aim to follow the GDPR principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability.
Data minimisation
We deliberately collect almost nothing: no accounts, no contact details, no behavioural tracking. Location is used transiently and not stored server-side in this build.
Security
The site is served exclusively over HTTPS/TLS. There is no user database in the current build, so there is no central store of personal data to breach. When a backend is introduced, it will use encryption in transit and at rest, least-privilege access, and audit logging.
Processors
Vercel (hosting/CDN) and CARTO/OpenStreetMap (map tiles). Data Processing Agreements should be executed with each before processing personal data at scale.
International transfers
Hosting may process data outside the UK/EEA. Appropriate safeguards (e.g. Standard Contractual Clauses) should be confirmed with processors.
Breach response
Any personal-data breach affecting risk to individuals will be assessed and, where required, reported to the ICO within 72 hours and to affected users without undue delay.
These documents are provided in good faith and describe how queer.bar currently works. They are drafts and not legal advice; have them reviewed by a qualified lawyer before relying on them. Compliance with GDPR, the UK Data Protection Act 2018, and US/EU privacy laws is an ongoing organisational responsibility, not something software alone establishes.