Rewandr Privacy Policy

Effective date: Sept 13, 2025

1) Who We Are & Scope

1.1. Controller. Rewandr Sp. z o.o., Szeligowska 30/32, 01-320 Warsaw, Poland (“we”, “us”, “company”) is the data controller for personal data processed via the Rewandr mobile application (the “App”) and our public website (the “Website”).

1.2. Contact. Privacy inquiries: privacy@rewandr.com.

1.3. Supervisory authority. You may lodge a complaint with UODO (Polish Data Protection Authority) or your local EEA/UK authority.

1.4. Scope of this Policy. This Policy explains what we collect, why, how we use and share it, how long we keep it, your rights, and how to contact us. It applies to the App and Website. If we make material changes, we will update the effective date and provide notice where required.

1.5. Key points (summary). We remove metadata from photos you upload, we don’t send personal data to LLMs, we don’t run ads or sell your data, and you can delete your account in-app at any time.

2) Data We Collect

We collect only what we need to provide and improve the Service.

2.1. Account & Profile (App)

• Email address, name/display name.
• Preferences (e.g., language, theme).
• Partial device information: device model, OS version, app version, language/region; and IP address (appears in infrastructure/auth logs).
• Authentication via sign in with Apple/Google. Depending on your provider settings, we receive your email and (optionally) name.

2.2. User Content (App)

• Photos and text you upload to your private library.
• Stored in private buckets; images are resized for delivery and EXIF/metadata (incl. geotags) are removed on upload.
• Your User Content is private to you inside the App; we don’t publish it for other users without your explicit action/consent.

2.3. Purchases (App)

• Transaction metadata from Apple App Store / Google Play / RevenueCat (e.g., order ID, product, price/currency, status).
• We do not receive or store your payment card details.

2.4. Communications

• Emails (e.g., sign-in codes, receipts, account/security notices, app updates, etc.) via Resend.

2.5. Telemetry & Diagnostics

• Minimal technical/build logs via Sentry (e.g., crash/diagnostic data associated with device model/OS/app version).
• Used to maintain and secure the Service, and to improve reliability/performance.

2.6. Website: Cookies & Analytics

• The Website uses analytics cookies/SDKs to understand aggregated usage (pages visited, traffic sources, device/OS/browser).
• Cookie categories, choices, and retention are described in Section 5.

2.7. What we do not collect

• No precise or background location data.

• No personal data sent to LLMs (see Section 4).

• No third-party advertising identifiers for ad networks.

  3) Purposes & Legal Bases (GDPR)

We only process what’s needed, on these grounds:

• Run the App & your Account
  Provide core features, authenticate via sign in with Apple/Google, store your User Content (private library), enable Coins/Bundles.
  Legal basis: contract (Art. 6(1)(b)).
• Purchases & Support
  Handle Apple/Google/RevenueCat transaction metadata, user support, basic records required by consumer/tax rules.
  Legal basis: contract and legal obligation (Art. 6(1)(b), (c)).
• Security & Abuse Prevention
  Protect accounts, investigate misuse/fraud, ensure service integrity; process IP address and limited device/usage logs.
  Legal basis: legitimate interests and, where applicable, legal obligation (Art. 6(1)(f), (c)).
• Reliability & Product Improvement
  Diagnostics/crash/performance via Sentry; we minimize identifiers.
  Legal basis: legitimate interests (Art. 6(1)(f)).
• Emails
  Sign-in codes, security notices, receipts via Resend. (No marketing emails.)
  Legal basis: contract and/or legal obligation (Art. 6(1)(b), (c)).
• Website Analytics
  Measure aggregate Website usage with analytics cookies/SDKs.
  Legal basis: consent (Art. 6(1)(a)); you can withdraw anytime (see Section 5).
• Compliance & Enforcement
  Handle legal requests/notices, enforce Terms, protect rights.
  Legal basis: legal obligation and legitimate interests (Art. 6(1)(c), (f)).

4) AI Features (No Personal Data to LLMs)

4.1. AI is integral to the App experience, but we do not send personal data (such as your email, name, photos, or precise identifiers) to AI model providers.

4.2. We design prompts to use non-personal, non-identifiable context (e.g., generic location facts, public POI info, template logic) and we strip identifiers before any AI processing.

4.3. AI outputs can be incomplete or inaccurate; always verify important details (see Terms Section 9).

4.4. If our AI architecture changes to involve personal data, we will update this Policy and obtain consent where required.

5) Cookies & Website Analytics

5.1. Where cookies apply. Cookies/SDKs are used on the Website (not the App). We use two categories:

• Essential cookies (no consent): needed for security and core site functionality.
• Analytics cookies (consent): help us understand aggregate usage (pages viewed, referrers, device/OS/browser).

5.2. Your choices.

• On first visit, you can accept, reject, or manage analytics cookies via the banner.
• You can change your choice anytime via Cookie Settings on the Website or through your browser controls.
• Refusing analytics cookies won’t affect essential site functions.

5.3. Data and retention.

• Analytics may collect pseudonymous event data such as page URLs, timestamps, device/OS/browser type, and approximate region derived from IP.
• We configure analytics with short retention and minimize identifiers. Unless a provider requires otherwise, we aim to retain analytics events for up to 30 days.

5.4. No ads**.** We do not use advertising cookies, cross-site trackers, or sell your personal data.

6) Push Notifications

6.1. Purpose. We use push notifications for service-related messages (e.g., reminders, status updates, important changes).

6.2. Consent & control. Push is opt-in via your device/OS settings; you can disable it anytime in OS settings and, where available, in-App controls.

7) Purchases & Payments

7.1. Platforms. In-app purchases (e.g., coins/bundles) are processed by the Apple App Store, Google Play, and RevenueCat under their Platform Terms.

7.2. Data we receive. We receive transaction metadata (e.g., order ID, product, price/currency, status) to fulfill, support, and prevent fraud. We do not receive or store payment card details.

7.3. Records. We keep minimal purchase/support records as required by Applicable Law (e.g., accounting/consumer law).

7.4. Receipts. Transactional emails (e.g., receipts, security notices) are sent via relevant App Stores.

8) Sharing & Processors

We do not sell personal data. We share it only with service providers that help run the Service, under contracts that require appropriate safeguards.

8.1. Processors we use (summary):

• Supabase (hosting, storage, authentication, infrastructure logs incl. IP addresses).
• Sign in with Apple / Google (authentication).
• Apple App Store / Google Play / RevenueCat (billing and purchase lifecycle).
• Resend (transactional emails).
• Google Maps/Places (map/place data surfaced in-App; requests may include standard technical data).
• Sentry (build/diagnostic signals).

8.2. Website analytics. The Website uses analytics providers for aggregate usage metrics (see Section 5).

8.3. AI providers. Our AI features are integral, but we do not send personal data to AI model providers (see Section 4).

8.4. Legal reasons. We may disclose information if required by law or to protect rights, safety, or the Service (e.g., responding to lawful requests, enforcing Terms).

9) International Transfers

9.1. EU hosting. We host core App data in the EU.

9.2. When data leaves the EEA/UK. Some processors (e.g., email/analytics or platform providers) may process data outside the EEA/UK. In those cases, we use appropriate safeguards, including Standard Contractual Clauses (SCCs), and assess transfers as required. Where relevant, the UK IDTA/Addendum or adequacy decisions may apply.

9.3. More details. You can request information about specific transfer safeguards via privacty@rewandr.com.

10) Retention

10.1. General rule. We keep personal data only as long as needed for the purposes in this Policy, then delete or anonymize it.

10.2. Account & profile. Deleted immediately when you close your account in-app (see Terms 3.5).

10.3. User Content (photos/text). Deleted when you remove it or close your account. Backups/logs may persist up to 30 days before rolling off.

10.4. Logs & diagnostics. Technical/security logs (including IP and device/OS/app version signals) are retained for up to 30 days.

10.5. Website analytics. Aggregated/pseudonymous events are retained for up to 30 days (see Section 5).

10.6. Purchases & legal. Minimal purchase/support records are kept as required by law (e.g., accounting/consumer law), which may exceed the periods above.

10.7. Litigation/security holds. Where necessary, we may preserve data to establish, exercise, or defend legal claims or investigate abuse.

11) Your Rights & Choices

You have rights under GDPR/UK law. You can exercise them via in-app controls (account deletion) or by emailing privacy@rewandr.com. We’ll respond within one month (or explain if more time is needed).

11.1. Access & portability. Get a copy of your data and, where technically feasible, receive it in a machine-readable format.

11.2. Rectification. Ask us to correct inaccurate data.

11.3. Erasure. Delete your data (you can delete your account in-app at any time).

11.4. Restriction. Ask us to limit processing in certain cases.

11.5. Objection. Object to processing based on legitimate interests.

11.6. Withdraw consent. For consent-based processing (e.g., Website analytics cookies, push notifications), you can withdraw at any time via Cookie Settings (Section 5) or your OS settings (Section 6).

11.7. Complaints. You can lodge a complaint with UODO or your local EEA/UK authority. We’d appreciate the chance to resolve issues first via privacy@rewandr.com.

11.8. Identity checks. We may request information to verify your identity and secure your data.

12) Security

12.1. Safeguards. We use appropriate technical and organizational measures, including encryption in transit and at rest, access controls/least privilege, segregated environments, and monitoring for abuse.

12.2. Vendor security. Processors are bound by contracts requiring confidentiality, security, and processing only on our instructions.

12.3. No system is perfect. We work to protect your data, but no method of transmission or storage is 100% secure.

12.4. Incidents. If a personal-data breach occurs, we will notify authorities and affected users where legally required and take steps to mitigate harm.

13) Children

13.1. The App is not intended for under-16s. We do not knowingly collect personal data from children under 16.

13.2. If you believe a child has provided personal data, contact privacy@rewandr.com. We will delete it and close the account where applicable.

13.3. Parents/guardians should supervise children’s device use.

14) Changes & Contact

14.1. We may update this Policy to reflect changes to our Service or legal requirements. We’ll update the effective date and provide notice where required.

14.2. Questions or requests: privacy@rewandr.com.

14.3. Controller: Rewandr Sp. z o.o., Szeligowska 30/32, 01-320 Warsaw, Poland.