1. Who we are
ODDS · Miami is a city-native social product for runners, operated by Goc Ventures Group LLC, a Florida limited liability company. The service consists of an iOS app, an Android app, this marketing website, and a backend hosted on InsForge. For EU and UK users this entity is the data controller under GDPR / UK GDPR.
2. What we collect — account & identity
Email address (required), password (hashed by InsForge, never stored in plaintext), and if you sign in with Apple or Google, the stable identifier and email returned by that provider. Optional profile fields: username, display name, bio, Instagram handle, gender, avatar image. Optional fields can be removed at any time in Settings.
3. What we collect — location
Exact latitude and longitude, foreground only, only when you actively tap 'find runs near me' or create an event. We do not request 'always' permission and we do not run background location. Coordinates are stored on events you create and used transiently for radius search.
4. What we collect — health & fitness (iOS, opt-in)
If you opt in, we read running workouts from Apple HealthKit for the past 14 days to auto-verify your RSVPs (matched against event time within ±30 minutes). The match runs entirely on your device. We never upload your workouts, route, pace, heart rate, or any other HealthKit data to our servers — only a verified flag against the specific event you attended. Revoke any time in iOS Settings → Privacy → Health. Android does not currently integrate Google Fit or Health Connect.
5. What we collect — device data
Push notification token (APNs on iOS, FCM on Android) so we can send notifications you opted into. A random per-install UUID stored locally — this is not Apple's IDFA or Google's AAID; we use it only to dedupe anonymous search analytics. App and OS version with API requests for bug fixes. IP and User-Agent on public web forms (event proposals, waitlist) for rate-limit and abuse prevention. We do not collect IDFA / AAID and we do not show an App Tracking Transparency prompt because we have nothing to track across apps.
6. What we collect — your content
Events, RSVPs, vibe checks (comments and emoji reactions), direct messages, friend relationships, badges you earn, event proposals, and waitlist signups. Direct messages are stored on our servers and are not end-to-end encrypted — treat them as private email, not as a sealed letter.
7. What we do NOT collect
No Google Analytics, Meta Pixel, Sentry, PostHog, Mixpanel, Amplitude, Segment, or Vercel Analytics. No advertising SDKs, retargeting pixels, or data brokers. No access to your contacts, calendar, mic, SMS, or camera roll beyond the photo you pick for your avatar. No background or 'always' location. No HealthKit write access. No IDFA / AAID. No sale of personal information, ever.
8. How we use your data
Operating the service (sign-in, RSVPs, feed, messaging) on the basis of our contract with you. Verifying RSVPs against your workouts under your explicit consent for health data. Sending transactional email (verification, reset, RSVP confirmation) as part of the contract. Sending push notifications you opted into. Showing events near you only after you grant location permission. Preventing abuse on public forms as a legitimate interest. We do not make automated decisions that produce legal or similarly significant effects on you.
9. Who we share with
Infrastructure providers acting on our instructions only: InsForge (backend host — auth, database, file storage), Vercel (web hosting), Apple APNs (iOS push delivery), Google FCM (Android push delivery), and Apple / Google as OAuth identity providers if you choose them. We do not share with advertisers, ad networks, data brokers, or attribution providers. We may disclose data when required by law (subpoena, court order); we will not disclose more than necessary and will notify you unless legally prohibited.
10. International transfers
Data is stored and processed in the United States. If you access the service from the EU, UK, or elsewhere outside the US, your data is transferred to the US. We rely on the EU–US Data Privacy Framework (where applicable to our processors) and Standard Contractual Clauses with processors that have not self-certified.
11. Retention
Account, profile, events, RSVPs, messages, friends, and vibe checks are retained while your account is active and deleted when you delete your account. Activity pings auto-expire after 4 hours. Anonymous search logs aggregate into a 7-day rolling view; raw rows are kept up to 90 days for abuse detection. Push tokens are replaced on every device re-registration. Event-proposal IP and User-Agent are kept 90 days for rate-limit then nulled. Server logs roll on a ~30-day window. Backups are purged on the same cadence after account deletion (excluding any rolling backup window — typically ≤30 days residual).
12. Your rights
You have the right to access, correct, delete, restrict, port, and object to processing of your data, and to withdraw consent at any time. Account deletion is available in-app under Settings → Account → Delete account. Request other rights at tugberk@gocventures.com. EU and UK users can lodge a complaint with their local supervisory authority — we'd appreciate the chance to address concerns directly first.
13. California (CCPA / CPRA)
Categories collected: identifiers (email, username, OAuth subject, device UUID, IP on web forms), customer records (profile fields), internet/network activity (search queries, request logs), geolocation (precise, only with foreground permission), sensory data (avatar photos), and sensitive personal information (precise geolocation, health/fitness data). We use sensitive PI strictly for the purposes in section 8 and do not infer characteristics about you. No sale. No share for cross-context behavioral advertising. Rights honored at tugberk@gocventures.com or via in-app account deletion. Authorized agents accepted with verified power-of-attorney.
14. Security
All traffic is TLS-encrypted in transit. Passwords are hashed by InsForge. Auth tokens are stored in iOS Keychain (hardware-backed where available) and Android EncryptedSharedPreferences. The database is encrypted at rest. Access to production data is restricted and logged. Direct messages are not end-to-end encrypted. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you and the relevant supervisory authorities within the windows required by law (72 hours under GDPR).
15. Children
ODDS · Miami is for adults. You must be 18 or older to create an account. We do not knowingly collect data from anyone under 18. If we learn that we have, we delete it immediately. Parents and guardians who believe a minor has registered should contact tugberk@gocventures.com.
16. Cookies
The marketing site sets one cookie: odds_city, which remembers which city's content you're viewing. It is strictly functional, first-party, and not shared. We do not use analytics, advertising, or tracking cookies and we do not show a consent banner because the inventory is strictly necessary. The native apps do not use web cookies. Full inventory at /cookies.
17. Marketing email
Transactional email (verification codes, password resets, RSVP confirmations, event reminders you opted into) is sent on the basis of our contract with you. Marketing email, if and when we send any, is sent only to opt-in addresses, includes a one-click unsubscribe honored within 10 business days, and complies with the US CAN-SPAM Act, EU ePrivacy Directive, and Canada's CASL.
18. Changes to this policy
For material changes (new data category collected, new third party, new use that changes the legal basis), we give at least 30 days' notice via in-app banner and email before the change takes effect, and we may require you to re-consent. For non-material changes (clarifications, typo fixes, address updates) we update the 'Last updated' date above.
19. Contact
Privacy questions: tugberk@gocventures.com. Postal: Goc Ventures Group LLC, 92 SW 3rd St Apt 2907, FL33130, United States. DMCA notices: /dmca.