Privacy Policy
Intro
By accepting this Privacy Policy, you expressly consent to the processing of your personal data in accordance with the purposes and conditions set out herein.
This Privacy Policy applies to the personal data we collect when you access or use the Application and/or the Website provided by the Data Controller identified above.
The Data Controller collects, processes, and stores personal data within the European Union and is able, at any time, to demonstrate compliance with applicable European Union legislation and with the principles set out in this document.
All personal data processing activities carried out by the Data Controller are performed in accordance with the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR).
Definitions
Data Controller – the entity identified above, which determines the purposes and means of processing personal data.
User – any natural person who uses the Application and/or the Website, being at least 16 years of age (or the minimum legal age required to access or use an online service without the need for parental or guardian consent, in accordance with applicable law).
Application – the mobile application provided by the Data Controller, available on iOS and Android platforms.
Website – the website provided by the Data Controller.
Platform – the Eventya Publishing Platform, an integrated system consisting of a suite of software applications, including websites and mobile applications, protected under copyright law and registered in the National Register of Computer Programs under Certificate Series 466940BV, No. 13210 dated 16.06.2025, operated by the Platform Owner.
Personal Data – any information relating to an identified or identifiable natural person (“data subject”), directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Processing – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Consent – any freely given, specific, informed, and unambiguous indication of the User’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Supervisory Authority – an independent public authority established by a Member State pursuant to Regulation (EU) 2016/679.
Roles
The Data Controller is responsible for determining the purposes and means of the Processing of Personal Data.
The Platform Owner, on which the Application and the Website operate, may act as a data processor, processing Personal Data on behalf of the Data Controller, solely for the purpose of fulfilling contractual obligations related to the provision of the Platform.
Principles
The Data Controller’s personal data processing policy is based on the following principles:
- Lawfulness, fairness, and transparency – Personal Data shall be Processed lawfully, fairly, and in a transparent manner in relation to the User;
- Purpose limitation – Personal Data shall be collected for specified, explicit, and legitimate purposes and not further Processed in a manner that is incompatible with those purposes;
- Data minimization – Personal Data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are Processed;
- Accuracy – Personal Data shall be accurate and, where necessary, kept up to date;
- Storage limitation – Personal Data shall be kept in a form which permits identification of Users for no longer than is necessary for the purposes for which the data are Processed;
Integrity and confidentiality – Personal Data shall be Processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage, through the implementation of appropriate technical and organizational measures.
Who is responsible for the processing of Personal Data?
Responsibility for the Processing of Personal Data lies with the Data Controller, as the provider of the Website and the Application. The Data Controller determines what Personal Data are Processed, for what purposes, and by what means such Processing is carried out.
The Platform Owner on which the Website and the Application operate may also be involved in the Processing of Personal Data, where it acts for the purpose of fulfilling contractual obligations entered into with the Data Controller, in its capacity as a data processor.
The Platform Owner is identified above, together with its contact details.
Legal basis for the Processing of Personal Data
Personal Data are Processed on the basis of the User’s Consent, which is freely given, specific, informed, and unambiguous, in accordance with applicable legislation and the provisions of this Privacy Policy.
The Processing of Personal Data may also be based on one or more of the following legal grounds:
- the performance of a contract to which the User is a party or in order to take steps at the request of the User prior to entering into a contract;
- compliance with a legal obligation to which the Data Controller is subject;
- the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the User;
- the protection of the vital interests of the User or of another natural person;
- the performance of a task carried out in the public interest.
What Personal Data do we collect and for what purposes?
We collect Personal Data both from Users who create an account and authenticate within the Application or Website, as well as from Users who use them without authentication.
Personal Data collected from authenticated Users
For authenticated Users, we collect the following Personal Data:
- Full name – used for the creation and identification of the User account and visible within the platform;
- Profile photograph – may be optionally added by the User via the “My Account” section;
- Email address – provided by the User upon authentication;
- Technical device data (such as operating system, device model, network used, and GPS location – optional and collected only with the User’s Consent) – used exclusively for statistical purposes.
Personal Data collected from unauthenticated Users
For unauthenticated Users, we collect:
- Technical device data (such as operating system, device model, network used, and GPS location – optional and collected only with the User’s Consent) – used for statistical purposes and for identifying and resolving potential errors;
- Data voluntarily provided through contact forms (Helpdesk), including in anonymous mode, such as:
- Email address (used for request validation and, where applicable, for providing a response to the User);
- any other information entered in the form fields, depending on the configuration of the respective form;
- any documents or files attached by the User.
Data collected from the use of the Application and Website
In addition to the data mentioned above, we also collect information resulting from the use of the Application and/or Website, as follows:
- Technical device data (under the same conditions as described above), used for statistical purposes;
- data collected via Google Analytics, used to analyze User behavior and identify usage patterns;
- information generated through the creation of collections of locations and events, used for statistical purposes in order to identify User preferences and the most popular points of interest.
Special categories of Personal Data
The Data Controller does not Process within the Application and Website any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
What Personal Data are collected for account creation and what information is public?
For the creation of a User account within the Application and/or Website, the following Personal Data are required:
- Full name;
- Email address.
The User profile created within the Application may be publicly visible, and the following information may be displayed:
- Full name;
- Profile photograph (if the User chooses to add one).
Where a User publishes reviews within the Application and/or Website, the content of such reviews, together with the full name associated with the account, will be publicly displayed within the Application and on the Website.
For what purposes are Personal Data processed?
Personal Data are Processed for the following purposes:
- Account authentication and validation – for verifying the identity of the User by transmitting a confirmation code to the provided email address;
- Push notifications – Users may receive notifications regarding content published within the Application. The activation of such notifications is optional and may be enabled upon installation or subsequently via the Application settings;
- Reviews and user-generated content – User data are used for the publication and display of reviews and other content generated by Users as part of the Application’s functionalities. Users may edit or delete their reviews at any time. Upon deletion of the User account, all reviews associated with that User are removed;
- Newsletter communications – Users may voluntarily subscribe to the newsletter via the Website by providing their full name and email address. Such data are managed through Mailchimp for the purpose of sending periodic communications;
- Analysis and statistics – data are Processed in order to understand how the Application and Website are used and to improve services, through:
- the platform’s internal analytics system;
- Google Analytics, used to generate statistical reports relevant for marketing and optimization purposes.
In all cases, data used for analytical purposes are aggregated and anonymized, are not used for the direct identification of Users, and are not made public.
How are Personal Data collected and processed?
The collection of Personal Data is carried out through the following means:
Automatically, upon the use of the Application and upon the creation of a User account, the following data are collected:
Automatically, upon the use of the Application and upon the creation of a User account, the following data are collected:
- Full name;
- Email address;
- Device information (such as operating system, device model, and network used);
- GPS location (optional and collected only with the User’s Consent);
Directly from the User, through the completion of the registration form, where the following data are provided:
- Full name;
- Email address;
- Profile photograph, which may be added subsequently on an optional basis.
The Processing of Personal Data is carried out by the Data Controller, using both automated and, where necessary, manual means, in accordance with the purposes described in this Privacy Policy.
How is the Processing of Personal Data carried out?
The Processing of Personal Data is carried out as follows:
- Automatically, through the internal systems of the Platform, for the purpose of analyzing the use of the Application and generating statistical data;
- Automatically, through Google Analytics, for statistical purposes and service optimization;
- Manually, by the responsible team, for the preparation of internal reports and marketing analyses.
Data used for statistical purposes are aggregated and anonymized, are not used for the direct identification of Users, and are not made public.
For how long are Personal Data stored?
Personal Data are stored for the duration of the User account’s existence.
In the event of account deletion, such data are erased without undue delay.
Data used for statistical purposes are anonymized and may be retained for an indefinite period, provided that they no longer allow the direct or indirect identification of Users.
The User has the right to request, at any time, access to, rectification, or erasure of their Personal Data, either by using the mechanisms available within the Application or by submitting a dedicated request.
Deletion of the User account results in the removal of all associated Personal Data (including full name, email address, profile photograph, and password), as well as data generated through the use of the Application (such as saved collections or followed pages), under the conditions set out above.
Communication via the contact form (Helpdesk)
Users may submit requests through the contact form available within the Application and on the Website. Such messages are managed by the Data Controller through a Helpdesk-type system.
In this context, Personal Data provided by the User through contact forms configured within the Platform are collected. These may include, without limitation:
- Full name;
- Email address;
- the content of the transmitted message;
- any other information entered in the form fields, depending on the configuration of the respective form;
- any documents or files attached, where such option is available.
The type and volume of Personal Data collected depend on the configuration of the form used, as determined by the platform administrator.
Users are encouraged not to transmit sensitive Personal Data or confidential information through contact forms, unless strictly necessary.
The Processing of such data is carried out exclusively for the following purposes:
- receiving, managing, and resolving submitted requests;
- communicating with the User for the purpose of providing a response.
Personal Data transmitted via the contact form are stored for the period necessary to resolve the request and, thereafter, may be retained for an additional period for administrative and record-keeping purposes, in accordance with applicable legal requirements.
Interaction with the virtual assistant (AI Chat)
The Application and the Website provide Users with the possibility to interact with a virtual assistant based on artificial intelligence, in order to obtain information and recommendations.
In the context of using this service, the following Personal Data are Processed:
- the content of messages transmitted by the User;
- technical data associated with usage (e.g., IP address, device type).
User messages are stored in the Application’s database, managed by the Data Controller, and are used for the following purposes:
- providing the requested responses;
- monitoring and improving the service.
For the purpose of generating responses, messages are transmitted to OpenAI, using GPT models. This provider acts as a data processor and Processes Personal Data in accordance with its own policies and applicable contractual arrangements.
Data transmitted to OpenAI are not used for training the models, in accordance with the configuration of the service used.
User conversations are stored without a predefined retention period, unless the User requests their deletion or deletes their account.
The Application implements technical measures to limit risks associated with the use of this service, including message length limitations, content filtering, and request rate limiting.
Users are responsible for the content of the messages they transmit and are encouraged not to include sensitive Personal Data or confidential information in their interactions with the virtual assistant.
To whom do we transfer Personal Data and for what purposes?
For the provision and improvement of the services offered through the Application and the Website, Personal Data may be transferred to the following service providers:
- Google Analytics (United States of America): data are Processed for statistical analysis and marketing purposes, in order to understand User behavior and optimize the Application and the Website;
- AppSignal (Amsterdam, European Union): technical data, such as operating system and IP address, are Processed for the purpose of monitoring application performance and identifying potential errors;
- DigitalOcean (United States of America): the Platform and database are hosted on this provider’s infrastructure, which involves the storage of data in data centers operated by it.
Transfers of Personal Data outside the European Economic Area are carried out in compliance with applicable legal mechanisms, including the use of Standard Contractual Clauses approved by the European Commission or other appropriate safeguards, in accordance with applicable legislation.
What security measures have we implemented?
The Data Controller implements appropriate technical and organizational measures to ensure the security of Personal Data, including protection against unauthorized or unlawful Processing, as well as against accidental loss, destruction, or alteration.
The measures implemented include, without limitation:
- Encryption of communications through the use of SSL/TLS protocols, ensuring the protection of data transmitted between the Application, the Website, and the servers;
- Secure authentication mechanisms, including the use of one-time passwords (OTP);
- Protection of request integrity through the use of signing and authorization mechanisms (HMAC);
- Restricted access to infrastructure, by limiting access to authorized IP addresses for the Application servers and databases;
- Server-level access control, through the use of private SSH keys and strict authentication policies.
These measures are subject to periodic review in order to ensure an appropriate level of security in relation to the identified risks.
User Rights
1. Right of access
The User has the right to obtain confirmation as to whether or not Personal Data concerning them are being Processed, and, where that is the case, access to such data and information regarding the purposes and methods of Processing.
The User has the right to obtain confirmation as to whether or not Personal Data concerning them are being Processed, and, where that is the case, access to such data and information regarding the purposes and methods of Processing.
2. Right to rectification
The User has the right to obtain, without undue delay, the rectification of inaccurate Personal Data or the completion of incomplete Personal Data.
The User has the right to obtain, without undue delay, the rectification of inaccurate Personal Data or the completion of incomplete Personal Data.
3. Right to erasure (“right to be forgotten”)
The User has the right to obtain the erasure of their Personal Data without undue delay where one of the following grounds applies:
i. the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise Processed;
ii. the User withdraws their Consent, and there is no other legal ground for the Processing;
iii. the User objects to the Processing, and there are no overriding legitimate grounds for the Processing;
iv. the Personal Data have been unlawfully Processed;
v. the Personal Data must be erased to comply with a legal obligation;
vi. the Personal Data have been collected in relation to the provision of information society services.
The User has the right to obtain the erasure of their Personal Data without undue delay where one of the following grounds applies:
i. the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise Processed;
ii. the User withdraws their Consent, and there is no other legal ground for the Processing;
iii. the User objects to the Processing, and there are no overriding legitimate grounds for the Processing;
iv. the Personal Data have been unlawfully Processed;
v. the Personal Data must be erased to comply with a legal obligation;
vi. the Personal Data have been collected in relation to the provision of information society services.
4. Right to restriction of Processing
The User has the right to obtain restriction of Processing where one of the following applies:
i. the accuracy of the Personal Data is contested, for a period enabling verification of their accuracy;
ii. the Processing is unlawful and the User opposes the erasure of the data and requests the restriction of their use instead;
iii. the Data Controller no longer needs the Personal Data for the purposes of Processing, but they are required by the User for the establishment, exercise, or defense of legal claims;
iv. the User has objected to the Processing, pending the verification whether the legitimate grounds of the Data Controller override those of the User.
The User has the right to obtain restriction of Processing where one of the following applies:
i. the accuracy of the Personal Data is contested, for a period enabling verification of their accuracy;
ii. the Processing is unlawful and the User opposes the erasure of the data and requests the restriction of their use instead;
iii. the Data Controller no longer needs the Personal Data for the purposes of Processing, but they are required by the User for the establishment, exercise, or defense of legal claims;
iv. the User has objected to the Processing, pending the verification whether the legitimate grounds of the Data Controller override those of the User.
5. Right to object
The User has the right to object, on grounds relating to their particular situation, at any time to the Processing of Personal Data, including profiling, where such Processing is based on the performance of a task carried out in the public interest or on the legitimate interests pursued by the Data Controller or a third party.
The User has the right to object, on grounds relating to their particular situation, at any time to the Processing of Personal Data, including profiling, where such Processing is based on the performance of a task carried out in the public interest or on the legitimate interests pursued by the Data Controller or a third party.
In such cases, the Processing shall cease unless the Data Controller demonstrates compelling legitimate grounds which override the interests, rights, and freedoms of the User, or for the establishment, exercise, or defense of legal claims.
Where Personal Data are Processed for direct marketing purposes, the User has the right to object at any time to such Processing, including profiling related to such marketing.
6. Right to data portability
The User has the right to receive the Personal Data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where the Processing is based on Consent or on a contract and is carried out by automated means.
6. Right to data portability
The User has the right to receive the Personal Data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where the Processing is based on Consent or on a contract and is carried out by automated means.
Where technically feasible, the Personal Data may be transmitted directly from one controller to another.
Changes to the Privacy Policy
This Privacy Policy may be updated from time to time as a result of changes in applicable legislation or modifications to the structure and functionalities of the Application and the Website.
Where such changes occur, Users will be informed in advance, prior to their entry into force, through appropriate means such as in-app notifications, or notices published on the Website.
Users are encouraged to review this page periodically in order to stay informed about the latest updates regarding our Processing of Personal Data.
How can you contact us?
For any questions or requests regarding the Processing of your Personal Data, you may contact the Data Controller by submitting a written request or by email. The relevant contact details are available in the Contact Information section above.
If you wish to submit a complaint regarding the Processing of your Personal Data, you may contact us using the same details. We will respond within the applicable legal timeframes, in accordance with our internal policies and procedures.
If you consider that your rights relating to the Processing of Personal Data have been infringed and the Data Controller has not adequately addressed your complaint, you have the right to lodge a complaint with a Supervisory Authority.
In Romania, the competent Supervisory Authority is the National Supervisory Authority for Personal Data Processing, headquartered in Bucharest, Bd. Gen. Gheorghe Magheru no. 28–30, District 1, postal code 010336.
