Consumer Privacy Policy
Last updated: 27 May 2026
1. Who we are and how to contact us
Get Dizzy AI LTD ("Get Dizzy", "we", "us", "our") operates the Get Dizzy platform, a location-based venue discovery service available at getdizzy.ai and through our web-based mobile application (the "Platform"), which you can add to your phone's home screen.
We are the data controller for the personal data we collect and process about you when you use our Platform. We have not appointed a Data Protection Officer as we are not required to do so under UK data protection law, but you can contact us about any privacy matter using the details below.
Company details:
- Registered company name: Get Dizzy AI LTD
- Company number: 17045871
- Registered address: 340 The Crescent, Colchester, England, CO4 9AD
- Privacy contact email: legal@getdizzy.ai
- ICO registration number: ZC096374
If you have any questions about this privacy policy or how we handle your personal data, please contact us at legal@getdizzy.ai.
2. What this policy covers
This privacy policy explains how we collect, use, store, and share your personal data when you:
- Visit our website or use our Platform
- Create a consumer account
- Browse venues and deals
- Use our AI-powered search feature
- Save favourites, create itineraries, or plan crawl routes
- Subscribe to a paid plan
- Contact us or provide feedback
This policy applies to consumers who use our Platform to discover venues and deals. If you are a venue partner, please refer to our separate Venue Partner Privacy Policy.
The Get Dizzy Platform is offered to users in the United Kingdom only. We do not target or actively market our service to individuals in the European Union or European Economic Area, and we have not appointed an EU representative under Article 27 of the EU GDPR. If we expand the service to other jurisdictions in the future, we will update this policy and put any required representative arrangements in place.
3. Information we collect about you
Information you provide to us
- Account information: Your name, email address, and password when you create an account. We do not ask for your phone number during account creation or in your profile, though you may choose to include one in communications with us (for example, in an email signature).
- Default location / home town (optional): If you choose to share it when you sign up, we store the town or city you tell us as your local area, so we can show you what's on near you and let you know when Get Dizzy goes live in your area.
- Profile preferences: Your notification settings and display preferences
- User-generated content: Reviews, ratings, or feedback you submit about venues
- Communications: Messages you send to us through our contact form, email, or feedback tools
Information we collect automatically
- Location data: When you grant permission, we collect your precise GPS coordinates through your device's location services. We also cache your approximate location (latitude and longitude) locally on your device to improve the speed of the service. If you do not grant location permission, you can still use the Platform by searching for a location manually, though some features will have reduced functionality.
- Deal and venue interaction data: Which venues you view, which deals you interact with, venues and deals you save to your favourites, items you add to your itinerary, and crawl routes you create.
- AI search queries: When you use our AI-powered search feature, we collect the text of your search queries and the search results returned to you.
- Device and technical data: Your IP address, browser type and version, operating system, device type, and screen resolution.
- Usage data: Pages you visit on our Platform, how long you spend on each page, referral sources, and session information. This is collected by Vercel Analytics, which operates without cookies and does not store raw IP addresses. IP addresses are used only to derive country-level location data and are then discarded by Vercel.
- Marketing attribution data: If you arrive at our Platform through a marketing link, we collect UTM parameters (source, medium, campaign) and the referring website address. This data is held temporarily in your browser session and is written to your account record if you sign up, so we can understand which marketing channels are effective.
Information collected through our payment provider
When you subscribe to a paid plan, your payment is processed by Stripe, a third-party payment provider. We do not receive or store your full card details, bank account numbers, or other financial payment credentials. Stripe handles all card processing directly and hosts billing records such as invoices and receipts. Our authorised staff may access these records through the Stripe dashboard for customer support and accounting purposes.
We store the following subscription-related data in our own systems to manage your account:
- Your Stripe customer identifier and subscription identifier
- Your subscription tier (free or premium) and current status (active, trialling, past due, cancelled, or inactive)
- Your billing interval (monthly or annual)
- Your plan type (for example, plus)
- Your current billing period end date and trial end date (if applicable)
- Whether your subscription is set to cancel at the end of the current period
Stripe also processes webhook events to keep our records up to date, including notifications about successful payments, payment failures, and subscription changes. We do not store raw invoice data or detailed payment event logs in our database. For information about how Stripe handles your payment data, please see Stripe's privacy policy at stripe.com/privacy.
Whether you are required to provide data
Providing your name and email address is necessary to create an account and use the Platform's personalised features such as saving favourites, creating itineraries, and using AI-powered search. If you choose not to provide this information, you can still browse venue and deal listings without an account. Providing your precise location is optional and the consequences of not doing so are described in Section 6. If you wish to subscribe to a paid plan, you will need to provide payment details to Stripe.
Information we do not collect
We do not use advertising cookies, tracking pixels, or third-party analytics tools that create user profiles. We do not knowingly collect data from anyone under the age of 18.
4. How we use your information and our legal basis
Under UK data protection law, we must have a valid legal basis for processing your personal data. The table below explains each purpose for which we use your data and the legal basis we rely on.
| What we use your data for | Legal basis |
|---|---|
| Creating and managing your account | Contract performance - necessary to provide you with the service you signed up for |
| Managing your subscription and billing status | Contract performance - necessary to manage the paid service you have subscribed to |
| Showing you nearby venues and deals based on your location | Consent - we only access your precise GPS location when you grant permission through your device |
| Processing your AI-powered search queries and returning relevant results | Contract performance - this is a core feature of the service we provide to you |
| Logging AI search queries to monitor service quality and detect misuse | Legitimate interests - to maintain the quality and safety of the AI search feature. Our interest is in ensuring the search service works correctly and is not being abused. Queries are retained for 30 days only and are not linked to your identity when reviewed for quality monitoring, so the impact on your privacy is minimal. |
| Saving your favourites, itineraries, and crawl routes | Contract performance - these features are part of the service |
| Tracking which deals and venues you interact with (in aggregate) | Legitimate interests - to provide analytics to venue partners and improve the Platform. Our interest is in understanding how venues and deals perform so partners can improve their offerings. We carry out this processing using aggregated data that does not identify you personally to venue partners, so the impact on your privacy is minimal. |
| Collecting page view and usage data via Vercel Analytics | Legitimate interests - to understand how the Platform is used, identify technical issues, and improve the service. Our interest is in maintaining and improving a functional product. Vercel Analytics does not use cookies or create personal profiles, so the impact on your privacy is minimal. |
| Storing your default location / home town | Consent - you provide it voluntarily at signup; you can change or remove it at any time. |
| Sending you marketing emails about new venues, deals, or Platform features | Consent - we only send marketing communications where you have opted in. You can withdraw consent at any time. |
| Recording marketing attribution data (UTM parameters) at signup | Legitimate interests - to understand which marketing channels drive signups. Our interest is in spending marketing budgets effectively. The data is limited to campaign source, medium, and name, so the impact on your privacy is minimal. |
| Preventing fraud, abuse, and unauthorised access to accounts | Legitimate interests - to protect the security of the Platform and our users |
| Responding to your enquiries or complaints | Legitimate interests - to provide customer support and address your concerns |
| Complying with legal obligations (e.g. responding to lawful requests from authorities) | Legal obligation - where we are required by law to process or disclose your data |
Where we rely on legitimate interests, we have carried out a balancing assessment to ensure our interests do not override your rights and freedoms. You can ask us for details of these assessments by contacting legal@getdizzy.ai.
5. AI-powered search: how it works
Our Platform includes an AI-powered search feature that lets you find venues and deals using natural language queries (for example, "somewhere quiet for a date night" or "best happy hour deals near me").
How it works: When you submit a search query, we send the text of your query along with contextual information (your general location area, the current time, and the types of venues and deals available on our Platform) to our AI provider, Anthropic, which processes the query using its artificial intelligence technology. The AI analyses your query and returns a set of relevant venue and deal recommendations.
What data is sent to the AI:
- The text of your search query
- Your approximate location (to return nearby results)
- The current time and day (to show currently active deals)
- Information about venues and deals on the Platform (this is not your personal data)
What data is NOT sent to the AI:
- Your name, email address, or account details
- Your browsing history, favourites, or itinerary data
- Your precise GPS coordinates
Please avoid including sensitive personal information (such as health conditions, financial details, or other private matters) in your search queries. The AI search is designed to help you find venues and deals, and we cannot guarantee the confidentiality of information you voluntarily include in search text.
Special category data: Some search queries may reveal information that falls within the special categories of personal data under Article 9 of the UK GDPR — for example, a search for "halal restaurants" (which could imply religious belief) or "gluten-free deals" (which could imply a health condition). Where you choose to include such information in a search query, we treat your submission of the query as your explicit consent to process that special category data for the limited purpose of returning relevant search results to you. We do not store this data beyond the 30-day query log retention period set out in section 10, and we do not use it for any other purpose. If you do not consent to this processing, please avoid including such information in your search text.
Data handling by Anthropic: Anthropic processes your search queries under their API terms of service, which prohibit the use of API inputs and outputs for model training. This means your search queries are not used to train or improve Anthropic's AI models. We log search queries on our side for up to 30 days to monitor service quality and detect misuse, after which they are deleted.
Important points:
- Anthropic is a US-based company. See section 9 (International data transfers) for how we protect your data when it is transferred outside the UK.
- The AI does not make decisions that have legal or similarly significant effects on you. It provides recommendations only.
5a. Profiling and personalised analytics
"Profiling" under UK data protection law means any form of automated processing of personal data used to evaluate aspects of an individual — such as preferences, interests, behaviour, or location. We carry out limited profiling on the Platform.
What we do:
- Analyse your venue and deal interaction history (which venues you view, save to favourites, add to itineraries) to surface relevant search results and recommendations within the Platform.
- Use your approximate location to filter results by proximity.
- Aggregate interaction data across users to produce performance analytics for venue partners. This aggregated data does not identify you personally to partners.
What we do not do:
- We do not make solely automated decisions that produce legal or similarly significant effects on you within the meaning of Article 22 UK GDPR.
- We do not use profiling for advertising, behavioural targeting, or building marketing audiences for resale or external use.
- We do not share individual-level profiles with venue partners or any other third party.
Some operational processes — for example, flagging an account for suspected fraud or abuse, or applying rate limits to AI search to manage capacity — involve automated logic. These do not amount to Article 22 decisions: they do not produce legal or similarly significant effects on you, and a human reviewer is involved before any account is suspended or terminated.
You have the right to object to profiling carried out under our legitimate interests. See section 11 (Your rights) for how to exercise this.
6. Location data: what we collect and why
Location data is central to how Get Dizzy works. Our Platform helps you discover venues and deals near you, and we need to know your location to do this effectively.
Precise GPS location: We only access your precise location through your device's location services when you explicitly grant permission via your browser or device prompt. This is used to show you venues and deals nearby, display your position on the map, and calculate walking distances. You can withdraw this permission at any time through your browser or device settings.
Cached location data: To allow the map and location-based features to function when precise GPS data is unavailable (for example, if you have not yet granted location permission or your device cannot determine your position), we store your approximate latitude and longitude locally on your device in your browser's localStorage. This data stays on your device and is not sent to our servers unless you perform an action that requires it (such as loading the map view).
Location search: If you prefer not to share your GPS location, you can use the Platform by searching for a location manually. Some features (such as automatic proximity-based results and your position on the map) will not be available without GPS permission.
What we do not do with your location data:
- We do not track your location in the background when you are not using the Platform
- We do not build a history of your movements over time
- We do not sell or share your precise location with venue partners or any third party for their own purposes
- We do not use location data for advertising
7. Cookies and similar technologies
Our Platform uses very few cookies and tracking technologies compared to most online services.
Cookies
| Type | What | Purpose | Consent required? |
|---|---|---|---|
| Third-party cookies | Google Maps cookies (NID, 1P_JAR, CONSENT, APISID, SID, and similar) | Set by Google when the map view loads, to render the map correctly and prevent abuse of the Maps service. Google may also use this data for its own purposes as described in Google's privacy policy. | Yes. These cookies are not essential to the core service and require your consent before being set. We will ask for your consent before loading the map. |
Browser local storage (data stored in your browser)
Strictly necessary items (no consent required):
| What | Purpose |
|---|---|
| Authentication token | Keeps you logged in to your account (managed by Supabase) |
| Cached location | Stores your approximate coordinates so the map and location-based features can function when precise GPS data is unavailable. This data is stored on your device only and is not sent to our servers or linked to your account. |
| Onboarding flag | Remembers that you have completed the new user walkthrough |
Functional items (support your preferences):
| What | Purpose |
|---|---|
| Filter preferences | Remembers your venue type, distance, and dietary filter selections between sessions. These preferences are stored on your device only and are not sent to our servers or linked to your account. |
Browser session storage (cleared when you close the browser tab)
| What | Purpose | Strictly necessary? |
|---|---|---|
| Security token (CSRF) | Protects against cross-site request forgery attacks | Yes |
| Splash screen flag | Prevents the loading screen from showing again in the same session | Yes |
| Marketing attribution (UTM data) | Temporarily holds information about how you found our Platform | No - used for marketing analysis under legitimate interests. This data is written to your account record if you sign up. See section 4. |
What we do not use
- No advertising cookies or tracking pixels
- No third-party analytics cookies (Vercel Analytics is entirely cookieless)
- No Facebook Pixel, Google Analytics, Hotjar, or similar profiling tools
Managing cookies and storage: On your first visit to the Platform, our cookie consent banner asks for your consent before any non-essential cookies (such as Google Maps cookies) are set. You can withdraw or change your consent at any time by clearing your site data through your browser settings, which will re-trigger the banner on your next visit. You can also control cookies directly through your browser settings, and clear localStorage and sessionStorage through your browser's developer tools. Blocking Google Maps cookies may affect the map functionality on our Platform.
For full details, please see our separate Cookie Policy.
8. Who we share your data with
We share your personal data only where necessary and only with the following categories of recipients.
Service providers who help us run the Platform:
| Provider | What they do | Data they may access | Location | Role |
|---|---|---|---|---|
| Supabase | Hosts our database and manages user authentication | Account data, usage data, all stored Platform data | United States | Data processor |
| Vercel | Hosts our website and provides cookieless analytics | IP address (used to derive country-level location, then discarded), page view data | United States | Data processor |
| Anthropic | Provides the AI model powering our search feature | Search query text, approximate location, time context | United States | Data processor |
| Provides the Maps service embedded in our Platform | IP address, device data (via Google Maps JavaScript API) | United States | Independent controller for some processing (see below) | |
| Stripe | Processes subscription payments and hosts billing records | Subscription and billing data as described in section 3 | United States | Data processor for payment processing on our behalf; independent controller for Stripe's own fraud prevention and regulatory compliance purposes |
| Resend | Sends emails on our behalf (account verification, notifications) | Email address, name | United States | Data processor |
Most of our service providers process your data only on our instructions and are bound by data processing agreements. The exceptions are Google and Stripe, which each act as independent data controllers for some of the data they process. Google determines its own purposes for some data collected through Google Maps (such as security and abuse prevention). Stripe determines its own purposes for fraud prevention and regulatory compliance. For details, please see Google's privacy policy at policies.google.com/privacy and Stripe's privacy policy at stripe.com/privacy.
Sub-processors: The service providers listed above may engage their own sub-processors (for example, cloud infrastructure providers underlying their service) to deliver their services to us. Where this is the case, the relationship is governed by data processing terms that bind the sub-processor to equivalent protections. Each of Supabase, Vercel, Anthropic, Stripe, and Resend publishes a current sub-processor register accessible from their respective trust or legal pages. We review changes to material sub-processor arrangements as part of our ongoing supplier due diligence.
Venue partners: We provide venue partners with aggregated, anonymised analytics about how their venue and deals perform on our Platform (for example, how many times a deal was viewed or how many users added a venue to their itinerary). This data does not identify you personally. We do not share your name, email, location, or any other personal data with venue partners.
Law enforcement and regulators: We may disclose your data where we are legally required to do so, for example in response to a court order or a binding request from a regulatory authority.
Business transfers: If Get Dizzy AI LTD is acquired, merges with another company, or sells all or part of its assets, your personal data may be transferred as part of that transaction. The legal basis for this processing is our legitimate interest in being able to complete a corporate transaction. We will notify you of any such transfer and any changes to how your data is handled before the transfer takes place, and you will have the opportunity to delete your account if you do not wish your data to be transferred.
We do not sell your personal data to anyone.
9. International data transfers
Several of our service providers are based in the United States, which means your personal data is transferred outside the United Kingdom.
When we transfer personal data outside the UK, we ensure it is protected by appropriate safeguards as required by UK data protection law. The specific safeguards in place for each provider are:
Providers certified under the UK Extension to the EU-US Data Privacy Framework (DPF):
| Provider | DPF certified | Covers |
|---|---|---|
| Stripe | Yes | EU-US DPF, UK Extension, Swiss-US DPF |
| Yes | EU-US DPF, UK Extension, Swiss-US DPF | |
| Vercel | Yes | EU-US DPF, UK Extension, Swiss-US DPF |
The Data Privacy Framework provides an adequate level of protection for personal data transferred from the UK to certified US organisations, as recognised by the UK government.
Providers relying on Standard Contractual Clauses (SCCs):
| Provider | Transfer mechanism |
|---|---|
| Supabase | UK Addendum to EU Standard Contractual Clauses, incorporated into their Data Processing Agreement |
| Anthropic | UK Addendum to EU Standard Contractual Clauses, incorporated into their Data Processing Agreement |
| Resend | UK Addendum to EU Standard Contractual Clauses, incorporated into their Data Processing Agreement |
For providers relying on SCCs, we conduct a Transfer Risk Assessment (TRA) in line with ICO guidance to ensure they provide appropriate protection for your data in light of US law, the practical effectiveness of the SCC safeguards in that jurisdiction, and the specific nature of the data being transferred. We review these assessments periodically and when material circumstances change.
If you would like further details about the safeguards we use for any specific provider, please contact us at legal@getdizzy.ai.
10. How long we keep your data
We keep your personal data only for as long as we need it for the purposes set out in this policy. The specific retention periods are:
| Data type | How long we keep it |
|---|---|
| Account data (name, email, preferences) | For as long as your account is active, plus up to 30 days in a soft-delete recovery period if you delete your account, after which it is permanently removed |
| Default location / home town | Retained while your account is active; removed if you clear it or delete your account |
| Subscription and billing metadata (tier, status, billing dates) | For as long as your account is active. After account closure, we retain this data for up to 2 years for customer support and dispute resolution purposes. We may retain a minimal subset of billing metadata (subscription tier, billing dates, and amounts) for up to 6 years after account closure where necessary to comply with financial record-keeping obligations under UK tax law. Stripe separately retains financial transaction records (invoices, payment history) in accordance with their own retention policies and applicable financial record-keeping requirements. |
| Location data (cached coordinates) | Stored on your device only; we do not retain a server-side history of your locations |
| Deal and venue interaction data | For as long as your account is active, plus 2 years after account closure |
| AI search queries | 30 days from the date of the search |
| Analytics data (Vercel) | Up to 26 months (managed by Vercel; no raw IP addresses or personal identifiers stored) |
| Marketing attribution data (UTM) | Linked to your account at signup; retained for as long as your account is active |
| Communications and support data | 2 years from the date of the last communication |
| Security logs (failed login attempts, rate limit data) | Between 1 hour and 7 days depending on the type of security event |
When a retention period expires, we either delete the data securely or anonymise it so it can no longer identify you.
11. Your rights
Under UK data protection law, you have the following rights over your personal data:
Right of access: You can ask us for a copy of the personal data we hold about you.
Right to rectification: You can ask us to correct any inaccurate or incomplete data. You can also update most of your information directly through your account settings.
Right to erasure (right to be forgotten): You can ask us to delete your personal data. You can also delete your account directly through the Platform, which triggers a 30-day recovery period before permanent deletion in case you change your mind. If you submit a formal erasure request to us rather than using the self-service deletion option, we will process the deletion within one month without applying the 30-day recovery period. There may be limited circumstances where we need to retain certain data beyond deletion (for example, to comply with a legal obligation).
Right to restrict processing: You can ask us to temporarily stop processing your data in certain circumstances, for example while we verify the accuracy of your data following a dispute.
Right to data portability: Where we process your data on the basis of your consent or our contract with you, and that processing is carried out by automated means, you can ask us to provide your data in a structured, commonly used, machine-readable format so you can transfer it to another service.
Right to object: You can object to our processing of your data where we rely on legitimate interests as our legal basis. You also have an absolute right to object to direct marketing at any time.
Right to withdraw consent: Where we process your data based on your consent (for example, location data access or marketing emails), you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing carried out before you withdrew it.
Right not to be subject to automated decision-making: Our AI search feature provides recommendations only and does not make decisions that produce legal or similarly significant effects on you. If this changes in the future, we will update this policy and ensure appropriate safeguards are in place.
How to exercise your rights: Contact us at legal@getdizzy.ai. We will respond within one month. In some cases we may need to verify your identity before acting on your request.
Right to complain: If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first if you can.
12. Children and age restrictions
Our Platform is intended for users aged 18 and over. This is because the Platform features deals on alcoholic drinks and promotions at licensed venues.
We do not knowingly collect personal data from anyone under the age of 18. If you are under 18, please do not create an account or use our Platform.
If we become aware that we have collected data from someone under 18, we will take steps to delete that data as quickly as possible. If you believe a child under 18 has provided us with their personal data, please contact us at legal@getdizzy.ai.
13. Security
We take the security of your personal data seriously and use appropriate technical and organisational measures to protect it. These include:
- Encrypted data transmission (HTTPS/TLS) across the entire Platform
- Secure password hashing (we never store your password in plain text)
- Authentication tokens stored locally on your device, not in cookies
- Rate limiting on login attempts to prevent brute-force attacks
- CSRF (cross-site request forgery) protection
- Role-based access controls limiting who within our team can access your data
- Regular security reviews of our codebase and infrastructure
While we take all reasonable steps to protect your data, no system is completely secure. We encourage you to use a strong, unique password for your Get Dizzy account and to keep your login details confidential.
Personal data breach notification: In the unlikely event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay using the contact details on your account. We will notify the Information Commissioner's Office within 72 hours of becoming aware of a notifiable breach, in line with our obligations under the UK GDPR.
14. Links to other websites
Our Platform contains links to venue partner websites and third-party services (such as Google Maps). This privacy policy applies only to our Platform. When you follow a link to another website, their own privacy policy applies. We encourage you to read the privacy policies of any website you visit.
15. Changes to this policy
We may update this privacy policy from time to time to reflect changes to our practices, technology, or legal requirements.
Where changes are significant, we will notify you by email (using the address linked to your account) or by displaying a prominent notice on the Platform before the changes take effect.
We encourage you to review this policy periodically. The "last updated" date at the top of this page tells you when it was most recently revised.
16. Contact us
If you have any questions, concerns, or requests regarding this privacy policy or your personal data, please contact us:
- Email: legal@getdizzy.ai
- Post: Get Dizzy AI LTD, 340 The Crescent, Colchester, England, CO4 9AD
We aim to respond to all enquiries as soon as reasonably practicable, and to all formal data subject requests within one month as required by law.