Privacy Policy for the "Adsum" Application

1. Data Controller

The controller of the personal data of the application users is:

The controller independently determines the purposes and means of processing personal data related to the use of the application.

2. Scope of Processed Data

The following personal data is processed within the application:

Note: The application does not process sensitive data within the meaning of Article 9 of the GDPR.

3. Purposes and Legal Bases for Processing

3.1. Implementation of application functionality

Processing of personal data is necessary for the operation of the application, in particular:

• creating and managing trips,
• enabling users to join trips,
• displaying the list of participants,
• facilitating communication through group and private chat.

Legal basis: Article 6(1)(b) GDPR (performance of a service).

3.2. Handling user inquiries

Data is processed to respond to requests, such as data deletion requests.

Legal basis: Article 6(1)(c) and (f) GDPR.

4. Visibility of Data to Other Users

• First name and last name of a participant are visible to all participants of a given trip.
• Phone number, if provided, is visible only to the organizer and co-organizers of the trip.
• Messages sent in the general chat are visible to all trip participants.
• Private messages are visible only to the participants involved in the conversation.

5. Sharing Data with Third Parties

Data is stored using Firebase/Firestore services provided by:

Google processes data solely as a data processor – in accordance with the data processing agreement (Firebase Data Processing and Security Terms). Data is not profiled or used for marketing purposes.

Apart from Google, data is not shared with any other entities nor sold.

6. Data Retention Period

Participant data is retained:

• Until the trip is ended by the organizer (using the "End trip" function) – at which point all content related to the trip, including personal data and messages, is permanently deleted from Firestore.
• Until a data deletion request is made by the user, if the user wishes to delete their data before the trip ends.
• Data of a user who leaves a trip is retained until the trip is ended by the organizer or until a deletion request is made – this allows the user to return to the trip.

Data is stored only for as long as necessary to fulfill the application's functions.

7. User Rights

Users have the right to:

• access their data,
• rectify their data,
• erase their data ("right to be forgotten"),
• restrict processing,
• object to processing,
• data portability,
• lodge a complaint with the relevant supervisory authority.

The controller fulfills requests without undue delay, no later than within 30 days.

8. Voluntary Provision of Data

Providing data is voluntary but recommended for proper mutual identification of trip participants. Users who do not wish to provide their first and last name may fill these fields with any content (e.g., a nickname of their choice).

9. Automated Decision-Making and Profiling

Data is not subject to automated decision-making or profiling.

10. Data Security

The application uses security measures provided by Firebase/Firestore, including:

• data encryption during transmission (TLS),
• access control based on Firestore rules,
• user authentication (if used).

The controller applies the principle of data minimization and stores data only for as long as necessary.

11. Changes to the Privacy Policy

This policy may be updated in case of functional changes to the application or legal requirements. Users will be informed of changes through an update on the website.