Legal
Privacy policy
Who we are
Brooks Prequel (“Brooks”) operates the Brooks marketplace at https://brooksweb.uk. Legal identifier: 405713777. Contact: info@brooksweb.uk.
Information we collect
Account information: email address, display name, and authentication identifier provided by Auth0 when you sign in. Profile information: any avatar, bio, region, interests, and location coordinates you choose to add. Purchase information: items purchased, price paid, transaction identifier from Bank of Georgia iPay. Content you create: guides, days, blocks, places, photos, and reviews. Trip data: scheduled times, visited markers, and skip flags you set on purchased trips. Technical information: server logs that record your IP address, request path, and timestamp for security and reliability.
How we use information
To provide the service: authenticating you, showing your purchased guides, syncing your trip data, and delivering purchases. To process payments through Bank of Georgia iPay. To prevent fraud and abuse. To respond to support requests. To improve the product based on aggregate usage patterns.
Location data
Brooks uses location data to power its map-based features. With your explicit permission, we access your device’s approximate or precise location only to centre the map on where you are and to offer the “use my current location” shortcut when you create a guide or memory. Separately, we store the coordinates you choose to attach to content — the pins on your guides, places, and the hidden memories you drop on the map — and the region you add to your profile. These stored coordinates also enable location-gated features, such as unlocking a hidden memory only when you are physically near the spot and sending proximity notifications you have opted into.
Granting location permission is entirely optional and the app remains usable without it; you can grant or revoke it at any time in your device settings. We do not track your location in the background or build a movement history — location is read only in the moment you use a feature that needs it.
Location data is encrypted in transit with TLS and stored on infrastructure (Google Cloud Platform) that encrypts data at rest. We never sell your location data to third parties, and we never use or share it for advertising. The only third party that receives location coordinates is Mapbox, and solely to render the map tiles you are viewing — this is a technical processing step subject to Mapbox’s privacy policy, not a sale. You can delete location coordinates attached to your content by editing or removing that content, or delete all of it via account deletion (see “Your rights” below).
Service providers we use
Auth0 (Okta) handles authentication and stores your account credentials. Bank of Georgia iPay processes card payments. Google Cloud Platform hosts the application, database, and media files. Mapbox renders interactive maps when you view location-based features. Google Calendar (optional) receives trip events when you connect your calendar. These providers receive only the information necessary to perform their function and are bound by their own privacy policies.
Google user data — limited use disclosure
Brooks’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: when you connect Google Calendar, we request only the calendar and email scopes needed to create a dedicated “Brooks Trips” calendar in your account and write the events for trips you have purchased. We never sell or share Google user data with third parties for advertising, do not transfer it for unrelated purposes, do not allow humans to read it except for support cases you initiate, and store the refresh token encrypted at rest. You can disconnect Google Calendar at any time from the Add-to-Calendar dialog, which deletes the stored refresh token from our database.
Cookies and similar technologies
We use first-party cookies that are strictly necessary to keep you signed in and to remember short-lived state during the OAuth and payment flows. We do not use third-party advertising cookies.
Your rights
You can request access to, correction of, or deletion of your account data by writing to info@brooksweb.uk. We will respond within within 1 business day. You can disconnect optional integrations (such as Google Calendar) from inside the app at any time. Deleting your account removes your profile, purchases, and uploaded content from our active database; backup copies may persist for up to 30 days before being purged.
Self-service account deletion: signed-in users can delete from Settings → Delete account. If you have lost access, request deletion at https://brooksweb.uk/account/delete — we email a confirmation link to the address on file.
Brooks Android app
The Brooks Android application (package uk.brooksweb.app) is a thin shell that loads https://brooksweb.uk inside a secure WebView. The native shell additionally requests, only when relevant: notification permission (to deliver booking and trip reminders), and location permission (to centre the map on your current position). Neither permission is required to use the app. Location coordinates sent to Mapbox to render tiles are subject to Mapbox’s privacy policy. Apple/Google Play Store identifiers (install ID, device language, OS version) are processed by the respective store and not collected by Brooks beyond standard crash reporting.
In-app payments inside the Brooks Android app use the same Bank of Georgia iPay processor as the web site; Google Pay, where offered, is a wallet that tokenises your card and forwards the token to Bank of Georgia iPay for the actual charge — Brooks never receives or stores your card details.
Data retention
We retain account and purchase information for as long as your account is active or as required to comply with tax and accounting law. Server logs are retained for up to 90 days. Encrypted OAuth refresh tokens are deleted immediately upon disconnect or account deletion.
Security
Data in transit is encrypted with TLS. Sensitive credentials such as third-party API keys and OAuth refresh tokens are encrypted at rest with AES before storage. Access to production systems is restricted to authorised personnel. No system is perfectly secure; please contact us at info@brooksweb.uk if you believe your data has been compromised.
Children
Brooks is not directed to children under 13 (or under 16 in jurisdictions where that is the applicable threshold). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact info@brooksweb.uk and we will delete it.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated via the email address associated with your account. Continued use of the service after the update constitutes acceptance of the revised policy.
Contact
Questions about this policy: info@brooksweb.uk. Standard response time is within 1 business day during Monday-Friday, 10:00-18:00 Asia/Tbilisi time.