Hobbly - Discover Your City in a New Way

Privacy Policy

Last updated 20 April 2026

At Hobbly, we take data protection seriously. Privacy and information security are at the heart of everything we do. This Privacy Policy describes the key principles and practices we follow to ensure that your privacy is respected when you use our services.

Hobbly Technologies Oy ("Hobbly", "we") processes the personal data of users and visitors of the Hobbly mobile application, the hobbly.app website, the Hobbly Tickets service and other digital services provided by Hobbly (together, the "Service"). Through the Service, users can, among other things, discover events, activities and travel services, take part in them, join communities and membership groups of Partners, and purchase tickets.

In this Privacy Policy, "User" or "you" refers to users of the Service, representatives and authorised users of Hobbly's Partners, potential customers, and visitors to the Service and the hobbly.app website.

Some of our services may be subject to a separate privacy notice. Where a service has its own separate privacy notice, it is published in connection with that service.

This Privacy Policy may be updated from time to time to reflect changes in our processing practices or in legislation. The current version is always available at hobbly.app/privacy. We will not make material changes or reduce Users' rights under this Privacy Policy without notifying you in advance.

1. Controller and roles in the processing of personal data

Hobbly acts as the controller in respect of personal data processed for Hobbly's own purposes, such as:

  • providing and maintaining the Service
  • managing user accounts
  • enabling the processing of payments
  • customer support
  • information security and the prevention of misuse
  • analytics and development of the Service

When a User purchases a ticket, makes a booking, registers for an event, or joins a Partner's community, personal data is also processed for the Partner's own purposes.

In such situations:

  • the Partner acts as an independent controller in respect of its own service, event or customer relationship
  • Hobbly acts as the controller to the extent that the processing relates to the provision of the Hobbly Platform

In certain situations, the parties may act as joint controllers (GDPR Article 26), in particular where personal data is processed jointly to enable a service delivered through the Platform.

The Partner is responsible for its own processing of personal data and for the legislation applicable to it.

Where a Partner processes personal data outside the Service for its own purposes, such processing is governed exclusively by the Partner's own privacy notice.

1.1 Contact details

Hobbly Technologies Oy

Business ID: 3503150-1

Postal address: Liikiäläntie 13, 54920 Taipalsaari, Finland

Data protection matters: privacy@hobbly.app

General customer support: support@hobbly.app

Hobbly is not required to appoint a data protection officer under GDPR Article 37. Data protection matters are handled by Hobbly's management, who can be reached at the addresses above. Notifications of security incidents and other data protection enquiries should be sent to privacy@hobbly.app.

3. Personal data we process and its sources

We only process personal data to the extent necessary and appropriate for the specific purpose of processing. The personal data we collect and process can be divided into two general categories: User Data and Usage Data.

3.1. User Data

User Data is personal data we collect either directly from you, from our Partners, or in some cases through your interactions with other Users in the Service. We collect User Data, for example, when you register for the Service, buy a ticket or make a booking, join a Partner's community, membership group or team, subscribe to our newsletter, take part in a campaign, or fill in a contact form.

User Data that is necessary to use the Service:

The following data is necessary for the performance of the contract between you and Hobbly and for compliance with our statutory obligations. If you do not provide this data, we cannot provide the Service or its essential functionalities to you.

  • name or username;
  • email address;
  • password or equivalent authentication credential (in encrypted form);
  • date of birth or age (for age verification; see Section 11);
  • payment instrument details, such as card number and expiry date. These details are needed to make purchases but are not stored by Hobbly — payments are processed and the details retained by our third-party payment service provider, Stripe.

Optional User Data that enhances the user experience:

  • profile picture;
  • phone number;
  • home town or place of residence (see also Section 3.3 on location data);
  • interests, favourites, saved events and followed Partners;
  • loyalty programme or membership group identifiers and related information;
  • other information you provide when creating your account or subsequently editing your profile.

Data generated through use of the Service:

  • purchase, booking and registration history (products purchased, dates, total amounts);
  • content you post in the Service, such as reviews, comments and responses to surveys;
  • marketing consents you have given and their withdrawal;
  • messages, feedback and complaints submitted to customer support or otherwise, including email and chat correspondence.

User Data received via Partners:

When you join a community, membership group or team maintained by a Partner in the Service, the Partner may provide us with additional information about you to administer your membership (e.g. your role in the team or group, participation data). Hobbly processes this information in accordance with this Privacy Policy.

Contact details collected for marketing and sales purposes:

We also process the contact details of individuals (prospective customers and prospective Partners) whom we collect for marketing and sales purposes. Sources may include, for example, public registers (such as the Finnish trade register), business information services, contact forms on our website, trade fairs and events, newsletter subscriptions, or contact details provided on the individual's own initiative. Such information typically includes name, role, email address, phone number, the organisation represented and its business ID, and notes relating to communications. For the legal bases for this processing and the data subject's rights, see Sections 4 and 8.

3.2. Usage Data

Usage Data is collected automatically when a User uses the Service or visits our website. Although Usage Data is generally not used to identify individuals, when combined with User Data it may constitute personal data, and we process it accordingly.

  • device information: device type, operating system, software version, browser information, language settings and identifiers related to the device or applications;
  • network connection information: IP address, operator information and connection type;
  • country, region and time-zone level location based on IP address (more precise location data is processed in accordance with Section 3.3);
  • Service usage: events viewed, searches made, navigation paths, tap paths, session durations and features used;
  • error logs and crash reports for troubleshooting technical issues;
  • reporting data relating to events triggered by our advertising partners, subject to your consent;
  • cookies and similar technologies; see Section 3.4.

3.3. Location data

Location is a central part of the Service, as we provide Users with city- and location-based content, notifications and recommendations about events, activities and travel services.

City or locality selection:

when registering for and onboarding to the Service, we may ask you to select a city or locality whose offering you wish to follow. This step is optional (skippable). The selection you provide is saved to your user account.

GPS-based location:

if you grant the Service permission in your device's operating system to use your precise (GPS-based) location, we process location data to provide you with real-time location-based features — for example, to display events near you or to send location-based notifications. Processing of precise location is based on your explicit consent, which you can withdraw at any time from your device or the Service settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Approximate location:

if you do not grant permission for precise location, we may process coarse country- or city-level location derived from your IP address to deliver basic Service functionality, such as language selection and general content targeting.

Purposes for processing location data:

  • providing location-based event, activity and travel recommendations;
  • sending location-based notifications (e.g. notifications about events starting nearby);
  • targeting Service content, searches and filters to the correct geographic area;
  • developing the Service using aggregated location data (e.g. which areas are popular).

3.4. Cookies and similar technologies

We use cookies, local storage, application identifiers and other similar technologies to collect and store Usage Data. Cookies help us recognise visitors to the Service, facilitate use of the Service and produce aggregated information about our visitors. This helps us develop the Service and serve our Users better. Cookies and similar technologies do not harm your device or files.

You can manage your cookie settings via the cookie banner on our website and in the Service settings. You can also change your browser settings to block or delete cookies. Please note that some cookies are essential for the Service to function, and blocking them may affect your ability to use the Service.

On mobile devices, you can manage advertising and tracking identifiers from your device settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Privacy → Ads).

3.5. Data received from third parties

In addition to data received from you, from Partners and automatically collected through the Service, we may process limited data obtained from third parties:

  • basic authentication data from third-party sign-in services you use (e.g. Apple, Google), where you use them to sign in;
  • from our payment service provider (Stripe), information on the status and success of payment transactions;
  • for business customers, contact person information from public sources such as the trade register, or from business information services.

4. Purposes and legal bases of processing

We process personal data only to the extent necessary and appropriate for the specific purpose of processing. More than one of the purposes and GDPR legal bases listed below may apply to the same processing activity.

4.1. Performance of a contract (GDPR Article 6(1)(b))

Primarily, we process personal data to fulfil our contractual obligations to you or to the organisation you represent, for example to the extent necessary to:

  • provide the Service to you in accordance with our Terms of Service;
  • create and maintain your user account;
  • carry out the orders, bookings and registrations you have made, and deliver tickets;
  • process your payments and any refunds on behalf of the Partner via Stripe Connect payment processing;
  • administer your memberships in Partners' communities and groups within the Service;
  • communicate with you about essential aspects of the Service or an order, such as order confirmations, changes or updates to the Terms of Service;
  • respond to your enquiries and handle your complaints.

4.2. Legitimate interests (GDPR Article 6(1)(f))

We process personal data where processing is necessary for the purposes of our legitimate interests and where we have assessed that these interests are not overridden by the rights and freedoms of Users. Our legitimate interests include, among others:

  • conducting, maintaining and developing our business;
  • establishing and maintaining customer relationships;
  • ensuring the technical functionality and security of the Service, and preventing and investigating misuse, fraud and disruptions;
  • developing the Service using Usage Data, which is, as far as possible, processed in aggregated or pseudonymised form;
  • processing receivables, debt collection, and establishing, exercising or defending legal claims;
  • marketing to existing customers, and communications with prospective customers and prospective Partners in the context of B2B communications.

4.3. Consent (GDPR Article 6(1)(a))

We process personal data on the basis of your consent where consent is required, for example:

  • direct marketing to consumers, newsletters and marketing communications;
  • advertising, analytics and marketing cookies and similar technologies;
  • processing of precise (GPS-based) location data;
  • Partner-specific marketing permissions that you can manage in the Service settings.

You can withdraw your consent at any time by contacting us or changing the settings in the Service. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

4.4. Legal obligation (GDPR Article 6(1)(c))

We process personal data to comply with our statutory obligations, including those under the Finnish Accounting Act (1336/1997), tax legislation, consumer protection law and the Digital Services Act (DSA, EU 2022/2065), and to respond to lawful requests for information from authorities.

4.5. Profiling and automated decision-making

We use limited profiling for Service personalisation, for example to recommend events that are likely to interest you based on your interest data, your location selection and your use of the Service. This is technical personalisation and does not produce legal effects concerning you or similarly significantly affect you.

Profiling for marketing purposes is always based on your consent, which you can withdraw at any time.

We do not carry out decision-making based solely on automated processing within the meaning of GDPR Article 22 that would produce legal effects or similarly significantly affect Users.

5. Recipients of personal data

We do not sell personal data to third parties. We share personal data with parties outside Hobbly's organisation only in the situations described below and in accordance with applicable law.

5.1. Service providers and processors

In providing the Service we use carefully selected service providers that process personal data on our behalf. These providers are subject to a data processing agreement under GDPR Article 28, which requires them to process the data only on our instructions, to apply appropriate security measures, and to delete or return the data when the service ends.

Our key service providers are listed in the table below. You can request a more detailed list by contacting privacy@hobbly.app.

Service providerPurposeLocation and transfer mechanism
Stripe Payments Europe, Ltd.Payment processing and handling of payment transactionsIreland (EEA); parent company in the USA (SCC + DPF)
Amazon Web Services (AWS)Cloud storage and server infrastructureEU region primarily; USA where necessary (SCC + DPF)
SentryProcessing of error logs and crash reportsUSA (SCC + DPF)
MailtrapEmail deliveryEU region
Google (Analytics, Firebase)Web and application analyticsUSA (SCC + DPF); processed on the basis of consent
Meta (Facebook Pixel)Advertising and analytics toolsUSA (SCC + DPF); processed on the basis of consent
WebflowWebsite contact formUSA (SCC + DPF)

5.2. Partners

When you purchase a ticket, make a booking, register for an event or join a Partner's community or group through the Service, we disclose to the Partner the information necessary to administer the Purchase Agreement or the membership (e.g. name, contact details, order details and role information). The Partner processes this information within the Service in accordance with our instructions, as part of Hobbly's controllership.

A Partner's independent processing outside the Service (e.g. in its own customer systems or marketing) is based on the Partner's own legal basis and policy and is not covered by this Privacy Policy.

5.3. Other Users

In some features of the Service, certain User Data (e.g. first name, username, profile picture, reviews and comments) is shown to other Users as part of the normal operation of the Service. For example, if you attend an event or join a group, your name may be displayed on a participant list to other participants or to the group administrators.

5.4. Authorities and legal reasons

We disclose personal data to authorities where required by law or where reasonably necessary to (i) comply with applicable law, regulation or a court order, (ii) detect, prevent or address fraud, crime, security issues or technical issues, or (iii) protect the rights, property or safety of Hobbly, Users or others within the limits permitted by law.

We also comply with the authority-cooperation obligations under the Digital Services Act (DSA).

5.5. Corporate transactions

If Hobbly is involved in a corporate transaction such as a merger, demerger or business acquisition, personal data may be transferred to the counterparty in accordance with applicable law. We will notify affected Users when personal data is transferred to another company or becomes subject to a different privacy policy.

5.6. Transfers of data outside the EU and the EEA

We process personal data primarily within the EU and the EEA. However, some of our service providers may also process personal data outside the EEA, particularly in the United States. When personal data is transferred outside the EEA, we ensure that the transfer is carried out in accordance with GDPR Article 46 using one or more of the following safeguards:

  • the European Commission's Standard Contractual Clauses (SCC);
  • EU–U.S. Data Privacy Framework certification for transfers to the United States;
  • another GDPR-compliant transfer mechanism, such as a European Commission adequacy decision.

You can request a copy of the safeguards we use by contacting privacy@hobbly.app.

6. Retention periods

We retain personal data only for as long as is necessary for the purposes described in this Privacy Policy or as required by law. The retention period depends on the nature of the data and the purpose of the processing. When the retention period ends, the data is deleted or anonymised.

Category of dataRetention period
User account data and interest dataUntil the User deletes their account, or until the account has been inactive for a substantial period. Deletion takes place no later than 14 days after account closure.
Partner membership and participation data in the ServiceFor the duration of the membership or participation and for a reasonable period thereafter (typically no more than 12 months), unless extended by a statutory retention obligation.
Location dataPrecise GPS location is generally not stored permanently but processed in real time to deliver functionality. Aggregated or anonymised location data is retained for developing the Service.
Purchase and payment transaction data, invoicing and accounting recordsUnder the Finnish Accounting Act, 6 years from the end of the financial year; for supporting vouchers, 10 years where specific legislation so requires.
Tax-related recordsRetention period under tax legislation (typically 6 years from the end of the tax year).
Customer support messages, feedback and complaints12 months from receipt of the message, unless a longer retention is required, e.g. due to an ongoing complaint.
Contact details of prospective customers collected for marketing and sales purposesFor the duration of active contact and up to 24 months from the last contact, unless the individual has earlier objected to the processing.
Marketing consents and their withdrawalFor the duration of the consent and 2 years after withdrawal, to demonstrate that consent was previously in force.
Service analytics and identifier data (application)30 days for raw data; aggregated statistics are retained in anonymised form for longer.
Website analytics and cookie dataUp to 14 months.
Error and security logsUp to 12 months, unless a security investigation requires a longer retention.

We review retention periods regularly to ensure that data is not retained longer than necessary.

7. Rights of the data subject

You have the rights under the GDPR and the Finnish Data Protection Act in relation to the processing of your personal data.

Right of access (GDPR Article 15).

You have the right to obtain confirmation as to whether personal data concerning you is being processed and to obtain a copy of the data we process.

Right to rectification (Article 16).

You can request the correction or completion of inaccurate or incomplete data. You can correct some information directly in the Service settings.

Right to erasure (Article 17).

You can request that your data be deleted. We will comply unless we have a lawful basis or obligation to retain the data (e.g. a retention obligation under the Finnish Accounting Act).

Right to restriction of processing (Article 18).

You can request restriction of processing, for example while the accuracy of the data is being verified or while you object to the processing.

Right to data portability (Article 20).

You can request the data you have provided to us in a structured, commonly used format, or to have it transferred directly to another controller where technically feasible.

Right to object (Article 21).

You can object to processing based on legitimate interests. You may object to direct marketing at any time without needing a specific reason, and profiling for such marketing will cease immediately.

Right to withdraw consent.

Where processing is based on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right not to be subject to automated decision-making (Article 22).

We do not carry out automated decision-making concerning you within the meaning of GDPR Article 22.

7.1. Exercising your rights

You can exercise most of your rights yourself via the Service settings (editing profile data, managing marketing permissions, closing your account). For other matters, please contact privacy@hobbly.app.

We respond to requests within one month in accordance with GDPR Article 12. The period may be extended by up to two further months where the request is complex or there are multiple requests. Where necessary, we may request additional information to verify your identity. Requests are in principle free of charge, but we may refuse a request or charge a fee where the request is manifestly unfounded or excessive, in particular due to its repetitive character.

8. Direct marketing

You may at any time prohibit us from using your personal data for direct marketing and related profiling:

  • via the Service settings (e.g. management of marketing permissions);
  • via the unsubscribe link included in every marketing message;
  • by contacting us at privacy@hobbly.app.

We send direct marketing (e.g. newsletters, campaign messages and push notifications) always in accordance with applicable law. Electronic direct marketing to consumers is generally based on your consent. To existing customers, we may also send marketing on the basis of legitimate interests concerning products or services similar to those you have previously ordered, in accordance with the Finnish Act on Electronic Communications Services (917/2014).

Marketing to Partners and prospective business customers (B2B), such as partnership communications, is based on our legitimate interest in developing our business and maintaining our partner network.

You can manage Partner-specific marketing permissions separately from the Service settings, allowing or disallowing a particular Partner to send marketing through the Service.

9. Lodging a complaint

If you consider that we process your personal data in breach of the GDPR or other applicable data protection law, you have the right to lodge a complaint with a supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).

We recommend that you first contact us at privacy@hobbly.app so that we can try to resolve the matter promptly.

10. Principles of data protection safeguards

We protect personal data using appropriate administrative, technical and physical measures in accordance with GDPR Article 32. Such measures include, among others:

  • encryption of data in transit (TLS) and, where necessary, at rest;
  • pseudonymisation and data minimisation where appropriate;
  • access controls and restriction of access rights to only those persons whose duties require it;
  • confidentiality obligations and staff training;
  • careful selection of service providers and data processing agreements under GDPR Article 28;
  • regular security assessments, log monitoring and vulnerability testing;
  • back-ups and recovery plans.

If a personal data breach occurs and is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Data Protection Ombudsman within 72 hours of becoming aware of it (GDPR Article 33). In the case of a high risk, we will also notify the data subjects without undue delay (GDPR Article 34).

11. Protection of minors

Under Section 5 of the Finnish Data Protection Act, processing based on the provision of an information society service to a child is lawful where the child is at least 13 years of age. The age limit of our Service is 13 years. Children under the age of 13 are not permitted to use the Service or to create a user account.

A minor User requires the consent of a guardian to make paid purchases and to enter into other binding legal acts. If we become aware that data of a child under 13 has been collected without a valid legal basis, we will delete the data without delay.

If you are a guardian and you suspect that your minor child is using the Service contrary to the age limit, or that data about them has been collected, please contact privacy@hobbly.app.

12. Changes to this Privacy Policy

We may update this Privacy Policy, for example due to changes in legislation, development of the Service or changes in our processing practices. The current version is always available at hobbly.app/privacy.

We notify material changes in the Service or by email before the changes take effect. The top of the Policy indicates when it was last updated.