1. Who processes your data
The data controller is the person operating under the trade name “Baltava” (the “Operator”, “we”, “Service”), available via the mobile app and related web pages (https://baltava.com).
Official legal entity or sole trader registration details will be published in the app once commercial registration is completed. Until then, contact info@baltava.com for all privacy matters.
2. Who this Policy applies to
This Policy applies to users in the European Union and European Economic Area (EU/EEA) and to everyone who uses the Service. You must be at least 16 years old, or act with parental or legal guardian consent.
3. Data we process
- Account — name, username, email, phone (if provided), sign-in method (email, Google, Apple), password hash.
- Profile — avatar, bio, language, notification settings, verification status.
- Content — listings, business profiles, photos, prices, descriptions, address and coordinates (if you provide them).
- Communications — messages between users, support requests, complaints, and reviews.
- Payments — amount, currency, status, Stripe transaction ID. Card data is processed by Stripe; we never receive your full card number.
- Technical data — device model, push token, IP address (via provider infrastructure), error logs, and app usage events.
4. Why we process data and legal bases (GDPR)
- Registration, sign-in, listing publication, and other Service features — performance of the user agreement (Art. 6(1)(b) GDPR).
- Moderation and fraud or abuse prevention — legitimate interest of the Operator (Art. 6(1)(f) GDPR).
- Push and email notifications about messages, statuses, and service events — consent, withdrawable in settings (Art. 6(1)(a) GDPR).
- Analytics and product improvement — legitimate interest or consent where required by applicable law.
- Accounting, taxes, and responses to lawful requests from authorities — legal obligation (Art. 6(1)(c) GDPR).
5. Who we share data with
We use trusted contractors (processors) who act on our instructions and must protect your data:
- Google Firebase / Google Cloud (US & EU) — hosting, authentication, database, file storage.
- Stripe (US/EU) — payment processing.
- Resend — service emails (verification, notifications).
- Expo, Apple, Google — push notification delivery.
Where data is transferred outside the EU/EEA, we use EU Standard Contractual Clauses (SCC) or other GDPR-compliant mechanisms.
6. How long we keep data
- Account data — while the account is active.
- After account deletion — erasure or anonymisation within 90 days, unless law requires longer retention.
- Payment records — as required by tax and accounting law (typically up to 7 years).
- Security logs — up to 12 months, unless incident investigation requires longer retention.
7. Your rights
Under GDPR you may:
- confirm whether we process your data and obtain a copy;
- rectify inaccurate or incomplete data;
- request erasure (“right to be forgotten”) where grounds exist;
- restrict processing or object to processing;
- receive your data in a portable format;
- withdraw consent — without affecting lawfulness of processing before withdrawal.
Email info@baltava.com with subject “Personal data” and include your account email. We respond within 30 calendar days. You may also lodge a complaint with the supervisory authority in your country of residence or work.
8. Recommendations and ranking
The Service may order listings and businesses by category, location, activity, and paid promotion. This does not produce legal effects concerning you under Art. 22 GDPR (automated decision-making).
9. Security
We apply risk-appropriate measures: TLS encryption, Firebase access rules, role separation, and backups. No internet transmission is 100% secure — use a strong password and do not share account access with others.
10. Policy changes
The current version is always available in the app (Settings → Privacy Policy). Material changes will be notified via the app or email at least 14 days in advance where possible.