Security & Safety

Authentication is handled by Supabase. Passwords are never stored in plain text — Supabase hashes them with industry-standard algorithms. Sessions are short-lived and tied to the device they were issued on.

You can sign out of all sessions from your profile settings. We recommend using a unique password and enabling two-factor authentication on your email provider, which is the recovery channel for your Gay Map account.

Mainstream event platforms expose your name, your face, and the parties you attend to anyone who looks. We don't. The following controls are first-class on every event:

• Address reveal gates. Hosts can publish an event publicly while keeping the exact venue address private — released only after RSVP, only after host approval, or a set number of hours before start.
• Guest list privacy.Hosts choose whether the guest list is hidden, visible to attendees, or public. The default is “hidden”.
• Anonymous RSVPs.Attendees can opt to hide their identity from other guests while still being counted on the host's door list.
• Discoverability switch. Hosts can mark an event as link-only — hidden from feeds and search, even when public events on the same calendar are not.
• No public attendee history. We don't expose the list of past events you've RSVP'd to on a public profile.

Detailed practices are in our Privacy Policy. The short version of what we don't do:

• We don't sell personal data. Ever.
• We don't run third-party advertising trackers, retargeting pixels, or social-graph scrapers.
• We don't share your RSVP history with anyone other than the hosts of the events you registered for.
• We don't require government ID, phone numbers, or real-name verification to use the platform.

Traffic is served over HTTPS with modern TLS. The database is encrypted at rest. Production secrets are managed outside the code repository and access is restricted to a small number of operators. Backups are encrypted and tested.

We follow the principle of least privilege for internal access: engineers don't routinely query production data, and access to attendee records is logged.

If you experience or witness harassment, doxxing, hateful conduct, or any safety incident, please email safety@gaymap.live. Include screenshots or links if you can. We aim to triage every report within 48 hours and act on credible reports promptly, including by removing content, restricting accounts, and cooperating with the affected host.

If you are in immediate danger, please contact local emergency services first.

We welcome reports from security researchers. Please email security@gaymap.live with a clear description, reproduction steps, and any proof-of-concept code. We commit to:

• Acknowledge your report within 3 business days.
• Investigate and provide a status update within 10 business days.
• Not pursue legal action against good-faith researchers who follow responsible-disclosure norms (no data exfiltration, no service disruption, no testing against accounts you don't own).
• Credit you publicly in our changelog after the fix ships, if you wish.

We don't currently run a paid bug bounty programme. We may offer a thank-you and platform credit for impactful reports.

If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Berlin Commissioner for Data Protection and Freedom of Information within 72 hours of becoming aware, as required by GDPR. We will also notify affected users without undue delay, with a clear summary of what happened, what data was involved, and what you should do.

• Safety incidents on the platform — safety@gaymap.live
• Vulnerability reports — security@gaymap.live
• Privacy / GDPR requests — privacy@gaymap.live