What we collect, why, and what you can do about it.

Closish (“Closish,” “we,” “us”) helps you find the food, coffee, bars, and places people are actually talking about on TikTok and Instagram, on a single map. This Privacy Policy explains how we collect, use, share, and retain information when you visit closish.com, use the Closish app, or join our waitlist.

Closish is a small team. We collect as little as we can get away with, and we’d rather tell you the truth in plain language than hide behind a wall of legalese. If something below is unclear, please write to privacy@closish.com and we’ll fix it.

We collect three buckets of information: things you give us directly, things our website and apps record automatically as you use them, and a narrow set of things from third parties that help us run the service.

Information you give us directly

• Waitlist sign-ups. When you join the early access list at closish.com, we collect your email address, the top three cities you picked (from a fixed list, with the option to type a custom city name), and an optional referral code if you arrived with a ?ref= link.
• Influencer prompt (optional).If, after signing up, you tell us you’re an Instagram or TikTok creator, we collect the platform you picked (Instagram, TikTok, or both) and the handle you type. We use this only to reach out about partnerships before launch.
• Account information. The Closish app lets you sign in so you can save spots, leave reviews, and personalize the app over time. We sign you in with a one-time code sent to your email— there is no password to create or remember. We collect your email address and an optional display name you can set and change in the app. We do not collect a password (we never see one), and we do not use third-party social logins.
• Anything you write to us. If you email us, fill in a feedback form, or message us through any support channel, we keep that correspondence so we can answer you and improve the product.
• Notification preferences. If you turn on notifications in the app, we store which categories of notification you want (for example, trending spots near you, a weekly digest, or product updates). You control these in the app, and you can turn the whole thing off in iOS Settings at any time.

Information collected automatically

• Usage analytics. We use PostHog to understand how people use the website and apps. PostHog records page views, taps and clicks, form submissions, and a short list of named events (for example: “you opened a spot,” “you tapped Directions,” “you applied a filter,” “you joined the waitlist from the home page”).
• Session replay.PostHog also records the page itself as you use it — the things on the screen, the order you tap them, and how the screen changes in response. We use these recordings to find bugs and to see where the product confuses people. See the Session replay section below for the plain-language version of what this actually records.
• Error reports.When the app or site throws an exception, PostHog captures the error details, the URL you were on, and a short snapshot of the surrounding state. No payment info or passwords are involved — we don’t collect those.
• Push notification token. If you turn on notifications, Apple gives the app a device token— an identifier that lets us send notifications to your device. We store it (with your account if you’re signed in, otherwise on its own) so we can deliver the notifications you asked for. It is not used to track you across apps.
• Aggregate web traffic.Vercel Analytics records lightweight, privacy-respecting page-view counts and referrers (no cookies, no cross-site tracking). It’s what tells us “X people read the landing page today.”
• Server logs. When you make a request to our waitlist endpoint, the server records your user-agent string (which browser and OS made the request) so we can debug bad signups and triage spam. The user-agent string is stored alongside the waitlist row.
• Map tile + Places metadata. When the map loads, your browser fetches map tiles from Mapbox. Mapbox receives standard request metadata (IP address, user-agent, approximate map area being loaded) under their terms. When we look up details about a specific venue, we query the Google Places API for that venue’s public record — we send Google a place identifier; we do not send Google any information about you.

Location, only when you allow it

The Closish app and website can show spots near you and sort results by distance, but only if you grant the location-permission prompt your device shows. If you say no, we fall back to the city center for the city you’re browsing. If you say yes, your device’s coordinates are used in-memory to filter and sort the list and to center the map — we do not send your precise location to our servers, and we do notsave it to your account, unless and until you explicitly take an action that requires saving it (for example, “save this spot” once that feature ships).

Cookies and device storage

• Functional cookies. A small number of cookies keep things working: a session cookie set by our hosting platform (Vercel), a preview-access cookie that gates the live /app URL during private testing, and short-lived analytics cookies set by PostHog to keep your visits stitched into one session.
• Map tile caching. Mapbox uses standard browser caching to avoid redownloading the same map tiles every time you pan and zoom.
• No advertising cookies. We do not run third-party advertising, and we do not set advertising or cross-site-tracking cookies.

Each thing above maps to a specific purpose. We don’t collect data “just in case.”

• Waitlist email + cities→ so we can email you when Closish launches in one of your cities, and so we know which cities to launch in next.
• Optional referral code→ so we can attribute signups to the friend or campaign that sent you, and credit founding-user perks correctly.
• Influencer handle + platform→ so we can reach out about a partnership before launch.
• Account information (email + display name) → to send your one-time sign-in code, identify you when you sign in, save your spots and reviews, and personalize the app to your tastes.
• Usage analytics + session replay + error reports → to see what works, fix what’s broken, and decide what to build next.
• Location (when granted)→ to sort spots by distance and center the map on you.
• Push notification token + preferences → to send only the categories of notification you opted into, and to stop sending the ones you turn off.
• Server logs (user-agent on waitlist signups) → to debug bad signups, triage spam, and understand which devices are signing up.
• Map tiles + Places metadata→ so the map renders and so the spots show real names, hours, and ratings.

We do not sell your information. We do not use it for cross-context behavioral advertising. We don’t train AI models on your messages to us.

To run Closish, a small handful of vendors process your information on our behalf. Each one is bound by their own privacy commitments; we link those below so you can read them yourself.

Service providers (sub-processors)

• Vercel hosts the website and apps and provides aggregate web analytics. Receives request metadata (IP address, user-agent, requested URL).
• Supabase hosts our database. All waitlist signups, spot data, and (eventually) account data are stored there.
• PostHog processes our usage analytics, session replay, and error reports.
• Mapbox serves the map tiles. Receives standard request metadata when your browser loads tiles.
• Google provides the Places API we use to look up the public record for venues (name, hours, rating). We send Google a place identifier; we do not send Google information about you.
• Telegram we ping ourselves through a Telegram bot when a new waitlist or influencer signup lands, so we know in real time. The notification includes your email, the cities you picked, and (if applicable) your influencer handle and platform. The notification goes only to the founder’s private chat.

For legal reasons

We may share information when required by a valid legal process (subpoena, court order, government request) or to protect our rights, the rights of our users, or the public. Where the law allows, we will tell you about such requests before disclosing.

Business transfers

If Closish is acquired, merged, or otherwise reorganized, we may transfer your information to the resulting entity, who will be bound by this policy until they update it.

With your consent

We will share your information for any other purpose only with your explicit consent.

We do not sell your information, and we do not share it for cross-context behavioral advertising.

We use PostHog’s session replay feature, which records the structure of the page as you use it. Here is what that actually means:

• What is recorded: the visible elements on the page (buttons, text, images), the order you tap or click them, scroll position, and how the page updates in response. Think of it like a silent screen recording of the app structure.
• What is not recorded: we do not record audio, your camera, your microphone, your clipboard, or anything from other tabs or apps. Replays do not include your IP address as a watchable element.
• Form fields are masked. We configure session replay to mask the text you type into form fields— your email address, search queries, review text, and anything else you enter are hidden in the recording (shown as blocked-out characters), not captured. You can still ask us to delete your replay history at any time at privacy@closish.com.
• How long replays are kept: see the Retention section below.

No matter where you live, you can email us at privacy@closish.com to ask us to delete your data, send you a copy of what we have, or correct anything that’s wrong. We’ll respond within a reasonable timeframe (and within the legal deadline that applies to you).

If you live in California

Under the California Consumer Privacy Act (CCPA), as amended by the CPRA, California residents have the right to:

• Know what personal information we have about you and how we use it.
• Access a copy of that information.
• Deletethe personal information we hold about you, subject to a few exceptions (for example, we may keep records we’re legally required to keep).
• Correct inaccurate information.
• Opt out of the sale or sharing of your personal information. Closish does not sell your information and does not share it for cross-context behavioral advertising, so there is nothing to opt out of, but the right exists if our practices ever change.
• Not be discriminated against for exercising your rights. We will not retaliate against you, charge you more, or give you a worse experience for asking us to honor any of the rights above.
• Use an authorized agent to make a request on your behalf, with proof of authority.

To exercise any of these, email privacy@closish.com from the email address on file. We will verify your identity before honoring the request.

If you live in the European Economic Area, the United Kingdom, or Switzerland

Under the General Data Protection Regulation (GDPR) and the UK’s and Switzerland’s equivalents, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Eraseyour data (the “right to be forgotten”), subject to legal retention obligations.
• Restrict our processing of your data in certain circumstances.
• Receive your data in a portable format that you can take to another service.
• Object to processing based on our legitimate interests.
• Withdraw your consent at any time, where processing is based on consent. Withdrawing consent does not undo any processing that already happened legally.
• Lodge a complaint with your local data-protection authority if you believe we have violated your rights.

Our legal basis for processing your data is your consent (when you join the waitlist, accept cookies, or grant location permission), our legitimate interest in running and improving the service (analytics, debugging), and our contractual obligations to you (when accounts ship, to provide the service you signed up for).

Other places

If you live somewhere else with a privacy law that gives you similar rights (Brazil, Canada, Australia, and a growing list of US states including Colorado, Connecticut, Virginia, Utah, and others), we will honor those rights to the extent the law applies to us. Email privacy@closish.com and we’ll figure it out together.

We keep different things for different lengths of time, depending on why we collected them.

• Waitlist sign-ups (email + cities + referral). Kept until you ask us to delete them, or until we decide the waitlist is no longer relevant (whichever comes first). The point of the list is to email you when we launch in your city; we don’t want to lose your spot.
• Influencer handle + platform. Kept on the waitlist row until you ask us to delete it.
• Account data (when accounts ship). Kept while your account is active. When you delete your account, your account data is deleted within 30 days, except for records we are legally required to keep.
• PostHog usage analytics.Kept according to PostHog’s default retention — up to 7 years.
• PostHog session replays. Kept for 30 days, then automatically deleted by PostHog.
• PostHog error reports. Kept for 90 days, then automatically deleted.
• Server logs. Hosting platform logs (Vercel) are kept for up to 30 days for debugging and abuse detection.
• Backup copies. Database backups may persist after a deletion request for up to 60 days while old backups age out, after which the deleted data is gone from backups too.

We use industry-standard practices to protect your information — encrypted connections (HTTPS) for every request, encrypted databases, principle-of-least-privilege access for our team, and database row-level security policies so that public reads can only see what’s meant to be public. No system is perfectly secure; if we ever discover a breach that affects you, we will tell you in line with applicable breach-notification laws.

Closish is not directed at children. We do not knowingly collect personal information from children under 13 in the United States or under 16 in the European Economic Area or United Kingdom. If you are a parent or guardian and believe your child has provided us with information, please email privacy@closish.com and we will delete it.

Closish is operated from the United States. If you use the service from outside the United States, your information will be transferred to, stored on, and processed by servers in the United States and (depending on the vendor) other countries. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the legal mechanisms our sub-processors offer (such as the EU Standard Contractual Clauses).

We may update this policy as Closish grows. When we do, we’ll change the “Last updated” date at the top of this page and post the new version here. If the change is material — meaning it expands what we collect, or changes who we share it with — we’ll do our best to email anyone affected before the new policy takes effect.

For any privacy question, request, or complaint, email privacy@closish.com. We read every message.

If you would prefer postal mail, please email us first and we’ll provide an address — we’re a small team and we don’t want to publish a home address.