← pubtwins

pubtwins — Privacy Notice

v0.1 — DRAFT. Pending lawyer review.

The database this notice describes is now live. The notice is therefore in force, and every factual claim in it is meant to be literally true today. If you find one that is not, that is a bug — see the last line.

Last updated: 14 July 2026.

The short version, in the first paragraph, because it is the thing you actually want to know:

Your answers leave your phone. They are sent to us, stored in a database, and pooled with everyone else's. That is not a side effect — it is the entire product. A pub only gets a character, and only finds its twin, because lots of people answered the same questions about it and we averaged them.

An earlier version of this app kept everything in your browser and sent it nowhere. That is no longer true, and this notice was rewritten the day it stopped being true rather than the week after.

What we still do not have: your name, your email, a password, or any way to work out who you are. See §2 — it is an honest limitation as much as a feature.

We have tried to keep this readable. Where being readable and being accurate pulled in different directions, accurate won. A privacy notice you cannot trust is worse than a boring one.


1. Who we are

pubtwins is run by Camtek Software LLC, a limited liability company registered in the State of Georgia, USA. Camtek Software LLC is the data controller for everything described in this notice. The domain is pubtwins.com. The app currently runs at pubtwins.pages.dev on Cloudflare, as a private test link — it is not indexed by search engines and is not linked from anywhere public.

Camtek Software LLC [POSTAL ADDRESS — TO BE SUPPLIED] Georgia, United States

[TO SUPPLY: a business postal address — a PO box or registered agent, NOT a home address.

The controller's address is published here permanently and cannot be un-published. pubtwins hosts public complaints about named businesses, some of which will have irritated landlords behind them, so a residential address is the wrong thing to attach to it. A PO box or a Georgia registered-agent service costs very little and is the normal answer.

The real address is deliberately not recorded anywhere in this repository, so that it cannot reach git history by accident. Supply it at publication time.]

[TO SUPPLY: the publicly named contact for content reports. The OSA and the DSA both require a named human, not "the team" — so a name will have to appear here eventually. For a one-person operation that is likely the owner, but it publishes a personal name against a complaints platform, and it deserves to be a decision rather than a default. Consider a role address (reports@pubtwins.com) with a named individual behind it.]

Our UK representative

Camtek Software LLC is established in the United States and offers this service to people in the United Kingdom. Under UK GDPR Article 27 we have therefore appointed a representative established in the UK. You may contact them instead of us about anything in this notice, and so may the Information Commissioner's Office.

Resolve Information Technology Open Space, Business Centre, Upper Interfields Malvern WR14 1UT United Kingdom

Companies House no. 04215680 support@resolvetech.co.uk

[TO CONFIRM: the written mandate. An Art. 27 appointment must be made in writing. Resolve Information Technology is named here, but the appointment itself is not yet papered. This is a short document and a solicitor should draw it — it is not optional, and naming them in a public notice before the appointment exists is the wrong way round. Do not launch on this.]

[TO CONFIRM: that support@resolvetech.co.uk is monitored for this purpose, and that whoever reads it knows that ICO correspondence and data-subject requests may arrive there. An Art. 27 representative is not a mailbox — they are expected to act, and to maintain the Art. 30 record of processing. The address is no good if it lands in a support queue that treats it as spam.]

[TO CONFIRM: whether an EU representative is also needed. UK and EU are separate regimes — a UK company cannot serve as the EU representative, and the one named above covers the UK only. The EU obligation bites when we offer the service to people in the EU, which is about targeting, not mere accessibility. Today the anchor cities are Atlanta and London (US + UK), so our reading is that EU Art. 27 does not yet apply. The day a pub in Dublin, Berlin or anywhere else in the EU is seeded, that reading expires and a second, EU-established representative is required. That is a product decision carrying a legal consequence; see the pre-launch checklist.]

[TO CONFIRM: contact address for privacy questions. A monitored email address. Do not launch with a placeholder here.]

We have not appointed a Data Protection Officer. [TO CONFIRM: whether one is required. On the current design — small scale, no special-category data by intent — probably not. A lawyer should confirm rather than us assuming.]

2. The honest limitation, up front: there are no accounts

pubtwins has no login. No email, no password, no username, no name. When you first use the site, we generate an anonymous identifier for you and remember when we generated it. That is the entire "account".

This is good for you in one way and awkward in another, and both deserve saying:

Good: we hold no email address, no password, and no name. There is nothing to leak, nothing to sell, and nothing for us to accidentally use to work out who you are.

Awkward: "your data" is tied to a browser, not to a person. We cannot tell that two browsers are the same human, and we cannot prove that a human asking us to delete something is the human who posted it. Practically:

This is a real limitation, not a legal disclaimer dressed as one. When accounts arrive, this section changes and we will say so.

3. What we collect, and why

What What it actually is Why we have it
Anonymous user record A generated id and the timestamp of when it was created. No email, no password, no name. We need to attach answers to someone, and we need the timestamp. Account age is the defence against brigading — a two-day-old id carries a fraction of the weight of a two-year-old one. Without a creation date, a coordinated pile-on on a pub is indistinguishable from twenty regulars agreeing.
Questionnaire submissions Which pub, which anonymous id, when, and the answers themselves (the scales, the enums, the dive-o-meter). This is the product. Answers are aggregated across everyone who has visited a pub to build its character profile, which is what finds its twin.
Free-text "flavour" answers Two short fields, in your own words. These are shown publicly on the pub's page. Because a checkbox cannot be funny. They never enter the matching engine — they are for humans to read.
Reports and flags What you reported, which content, why, when, and the anonymous id that filed it. You cannot run a report mechanism without recording reports. The UK OSA and the EU DSA both require us to have one.
Moderation decisions log A permanent, append-only record of every moderation decision: what was reported, what we decided, on which rule, when, and which content and anonymous id it concerned. Kept even after the content is gone. Required by law. See §5 — this one gets its own section, because it is the one place we deliberately keep something after you would expect it to be gone.
Photos (not built yet — you cannot upload one today) Images you upload of a pub's interior, plus the anonymous id and timestamp. Published publicly once screened. The carpet deserves to be seen. Rules in the House Rules, rule 5.

[TO CONFIRM: photo metadata. Phone photos carry EXIF data, which routinely includes GPS coordinates and a device identifier. Our intention is to strip EXIF on upload and store none of it. This must be confirmed as built before photos launch — if it is not stripped, this notice is wrong and we are storing location data we did not tell anyone about.]

[TO CONFIRM: geolocation. The "pubs near me" feature will ask for your location. Our intention is to use it in the browser only, for the duration of the query, and never store it. Confirm before shipping.]

Server logs and IP addresses — decided

We do not store your IP address. Not in the database, not against your submissions, not hashed, not truncated. There is no column for it and no code that writes one.

Cloudflare, who host the API, necessarily see the IP address of every request — that is how the internet works, and it cannot be otherwise. They retain their own edge logs briefly for security and abuse purposes, as their infrastructure provider role requires. We do not pull those logs into pubtwins, we do not join them to your answers, and we do not keep a copy.

We considered storing a salted hash of the IP against each submission. It would genuinely help: "ten new accounts, one pub, one week, one IP" is a strong signal of a coordinated pile-on that account age alone misses. We decided against it. A hashed IP is still personal data, it would have to be justified and retention-capped, and it would mean quietly building the thing that lets us link a browser to a household — for a website about carpets. The defence we already have (account age plus the outlier arithmetic, see the House Rules, rule 6) is weaker but honest, and we would rather be weaker and honest.

If that ever stops being enough — if a real brigade gets through — the answer is to revisit this openly and in this notice, before shipping it, and not to reach for it quietly on a bad afternoon.

[TO CONFIRM: analytics. Our intention is none. No Google Analytics, no third-party trackers, no advertising pixels. Confirm this stays true, and if any analytics is added, this notice must be updated before it ships.]

What we do not collect

No email address. No password. No name. No date of birth. No payment details. No contacts, no calendar, no microphone. We do not track you across other websites, and we do not sell anything to anyone. There is no advertising network in this app.

4. The lawful basis for each of these

[TO CONFIRM: this whole table with a lawyer. The reasoning below is ours and we believe it holds, but the lawful basis is exactly the kind of thing a non-lawyer gets subtly wrong.]

Purpose Lawful basis (UK/EU GDPR)
Storing your anonymous id, submissions and flavour text so that the site works at all Legitimate interests — Art. 6(1)(f). Running the service you asked us to run. Minimal data, no profiling of you as a person, no surprises.
Using account age and consensus to weight answers Legitimate interests — Art. 6(1)(f). Defending the site and its users against coordinated manipulation.
Publishing flavour text and photos Legitimate interests — Art. 6(1)(f). You typed it into a box that says it will be published, on a page that is public.
Reports, flags, and the moderation decisions log Legal obligation — Art. 6(1)(c). The UK Online Safety Act and the EU Digital Services Act require a report mechanism, a named contact, and records of moderation decisions. We do not get to decide not to keep these.

You can object to processing based on legitimate interests. See §7.

5. The moderation log is permanent, and that is on purpose

This is the part of the notice we most want you to actually read, because it is the one thing here that is not what you would guess.

When a piece of content is reported and we act on it, we hide or delete the content — and we write a permanent record of the decision. That record survives the content. Deleting the offending sentence does not delete the note saying we deleted it.

The record contains what was reported, which rule it broke, what we decided, when, who decided, and the anonymous id involved. It may include a copy of the removed content itself, because a record of a decision you cannot inspect is not a record of anything.

We keep it because we are required to. The UK Online Safety Act and the EU Digital Services Act both require a platform to keep records of its moderation decisions — that is the entire point of them: they exist so that a regulator, a court, or an appellant can check whether we behaved consistently, and so that we cannot quietly revise our own history. A moderation log that can be edited by the people who made the decisions is worthless, and a moderation log that can be deleted on request is one request away from worthless.

So: a request to delete your data will not remove entries from the moderation log. We would rather tell you that here, in advance, than surprise you with it when you ask.

[TO CONFIRM: retention period for the moderation log. "Permanent" is our intent and matches the spirit of the OSA/DSA record-keeping duties. A lawyer should tell us whether an indefinite period is defensible or whether it must be a fixed number of years — GDPR storage limitation and the OSA/DSA record duties have to be reconciled here, and we should not guess.]

6. How long we keep everything else

Data Kept for
Anonymous user record (id + creation date) As long as the site runs, or until you ask us to delete it. The creation date is only useful if it is old, so we cannot usefully expire it.
Questionnaire submissions Indefinitely. A pub's character profile is the accumulation of them; deleting them degrades the pub, not just the record. [TO CONFIRM: whether "indefinitely" survives a lawyer's reading of storage limitation, or whether we need a stated period.]
Flavour text and photos Until you delete them, or we do (rule breach), or the site closes.
Reports you file [TO CONFIRM: retention period. Tied to the moderation log question in §5.]
Moderation decisions log Permanently. See §5.
Anything in your browser's storage Your anonymous id, and any answers still queued because you had no signal. Until you clear it, or the queue is sent. Entirely within your control.

7. Your rights, and what we can honestly do about them

If you are in the UK or the EU, you have the right to access your data, correct it, delete it, restrict or object to how we use it, and receive a copy of it. These rights are real and we will honour them.

How to exercise them: [TO CONFIRM: contact address — see §1.]

Now the honest part. With no accounts (§2), we cannot verify that you are the person whose data you are asking about. We are not going to hand over one browser's contribution history to whoever asks nicely — that would be its own privacy failure. So in practice:

What deletion actually does. We remove your submissions and your flavour text. The affected pub's profile is then recomputed without them — your answers stop influencing its twin. What deletion does not do is empty the moderation log (§5), and it does not delete other people's answers about the same pub.

Complaints. If you think we have handled your data badly, please tell us first — but you are entitled to go straight to a regulator, and you do not need our permission. In the UK that is the Information Commissioner's Office (ico.org.uk). In the EU it is your national data protection authority.

8. Who else touches your data

Who Doing what
Cloudflare Hosting, the API (Workers), the database (D1), and photo storage (R2). They process data on our instructions.
Cloudflare (again) Also serves the app itself (Pages). The app and the API are on the same origin, so no third party sits between you and us.
A photo-screening service (not yet chosen, not yet built) Automated checking of uploaded photos before they go public. [TO CONFIRM: which service — AWS Rekognition, Google Vision SafeSearch, or a vision model. Whichever it is, uploaded photos will be sent to it, and this table must name it before photos launch.]

We do not sell your data, we do not share it with advertisers, and there is nobody else on this list.

[TO CONFIRM: international transfers. The controller is a US entity and the infrastructure is US-headquartered. Data from UK and EU users therefore leaves the UK/EEA. The lawful transfer mechanism — Standard Contractual Clauses, the UK Addendum/IDTA, the EU–US Data Privacy Framework, or some combination — needs a lawyer to specify, and then needs stating here plainly.]

9. Cookies and browser storage

We do not use tracking cookies, advertising cookies, or third-party analytics.

We do use your browser's storage, and it is strictly functional. It holds two things: your anonymous id, so the site recognises you between visits, and — if you answered a questionnaire somewhere with no signal — the answers still waiting to be sent. A cellar bar with no reception is a good sign about the pub and a bad one for a network request, so we hold them on your phone until you surface.

Nothing in it is shared with anybody. You can wipe it whenever you like, and clearing your browser data does the same job.

[TO CONFIRM: whether a cookie banner is required. On a strictly-functional-storage-only design, our reading is no. That reading is worth a lawyer's five minutes rather than our confidence.]

10. Children

pubtwins is about pubs. It is not intended for anyone under 18, and we do not knowingly collect data from children. There is no age gate today. [TO CONFIRM: whether the UK Online Safety Act's children's-access assessment obliges us to have one. This is a specific, named duty under the OSA and it needs a specific, named answer.]

11. Changes to this notice

When what we store changes, this notice changes first, and the change gets a date at the top. If the change is material — new data collected, new third party, a new purpose — we will say so on the site rather than quietly editing the page and hoping.


Written to be checked. If anything here is vague, wrong, or reads as though it is trying to get away with something, that is a bug and we would like to hear about it.