# Privacy Policy **Last updated:** `[23 May 2025]` ## 1. Who We Are This app (“**Vrabac**,” “we,” “us,” “our”) helps people discover events in Belgrade. **Data Controller:** *Vrabac d.o.o.* ## 2. How to Contact Us For any question about this policy or to exercise your privacy rights, e-mail **vrabacdanas@gmail.com**. (We do not currently appoint a separate Data Protection Officer.) --- ## 3. What Data We Collect | Category | Details | Purpose | Legal basis (GDPR Art. 6) | |----------|---------|---------|---------------------------| | **Account identifiers** | • E-mail address (required) • Username/handle • Display name | Create & manage your account; sign-in | Performance of a contract (Art. 6 (1)(b)) | | **Social graph & preferences** | • Organizations you follow • Friends you add • Posts/events you bookmark • Posts friends share with you | Build recommendations; show feeds & notifications | Legitimate interests (Art. 6 (1)(f)) | | **Device data** | • Push-notification device token • Crash/error logs | Deliver notifications; fix bugs & improve reliability | Legitimate interests (Art. 6 (1)(f)) | | **Optional marketing** | • E-mail (for campaign mail-outs, if you opt-in) | Send newsletters & product updates | Consent (Art. 6 (1)(a)) | > **No location tracking:** we do **not** collect GPS or any other location data. --- ## 4. How We Use Your Data 1. **Provide the service** – create your account, let you view and bookmark events, manage friends, and receive real-time updates. 2. **Recommend events** – our algorithm looks only at (a) organizations you follow, (b) posts you or your friends bookmarked, and (c) metadata in those posts (event location, time, category). 3. **Send notifications** – push or e-mail alerts when: - an organization you follow posts an event, - a friend sends you a post, or - you receive a friend request. *We do not profile you for ads or third-party marketing.* 4. **Maintain security & fix bugs** – we use Sentry (crash reporting) and standard server logs. 5. **Comply with law** – respond to legal requests or protect our rights. --- ## 5. Sharing Your Data | Recipient | Purpose | Safeguard | |-----------|---------|-----------| | **Google Firebase Cloud Messaging** | Stores the anonymous device token so we can push notifications. | EU Standard Contractual Clauses (“SCCs”) & Google’s Data Processing Addendum | | **Sentry** | Crash-reporting & diagnostics | SCCs & Sentry’s Data Processing Agreement | | **Infrastructure & service providers** | Hosting, e-mail, analytics strictly on our behalf | Data-processing agreements & SCCs | We never sell or rent personal data to third parties. --- ## 6. International Transfers Some partners (e.g., Google Firebase and Sentry) may process data on servers outside Serbia and the EU. Where this happens, we rely on the **EU Standard Contractual Clauses** and other legally-recognized safeguards to ensure your data remains protected. --- ## 7. Data Retention - **Active account:** We keep your data until you delete your account. - **After deletion request:** We retain a secure backup for **30 days**, then permanently erase or anonymize it. - **Crash logs:** Deleted or anonymized after **90 days**. --- ## 8. Your Rights Under GDPR (and similar laws) you can: - Access, correct, or delete your personal data - Object to processing or ask us to restrict it - Withdraw consent (for marketing) at any time - Port your data to another service - Lodge a complaint with your local data-protection authority - *Serbia:* Commissioner for Information of Public Importance and Personal Data Protection You can exercise most rights in the app (“Delete account”) or by writing to **vrabacdanas@gmail.com**. --- ## 9. Children Vrabac is **not intended for anyone under 16**. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us and we will delete it. --- ## 10. Security Measures - All traffic is encrypted via **HTTPS/TLS 1.2+** - Passwords are stored using **bcrypt-hashed salts**; we never keep plain-text passwords - Strict least-privilege access controls and periodic security reviews --- ## 11. Changes to This Policy We will post any future changes here and, for major updates, notify you in-app or by e-mail. The “Last updated” date at the top will always show the latest version. --- **Questions?** Drop us a line at **vrabacdanas@gmail.com** and we’ll get back to you.