Legal
Privacy Policy
Last updated: [PLACEHOLDER: EFFECTIVE DATE]
1. Introduction and data controller
This Privacy Policy explains what personal data [PLACEHOLDER: COMPANY NAME] S.R.L. (ORC no. [PLACEHOLDER: ORC NUMBER], registered office: [PLACEHOLDER: FULL REGISTERED ADDRESS], Timișoara, România) collects when you use the Ciripi social platform at ciripi.com and as a Progressive Web App (“Service”), why we collect it, how long we keep it, who we share it with, and what rights you have.
“Ciripi”, “we”, “us”, and “our” refer to [PLACEHOLDER: COMPANY NAME] S.R.L., which acts as the data controller for all personal data processed through the Service.
We do not currently have a designated Data Protection Officer (DPO). For all data-protection enquiries, contact us at privacy@ciripi.com.
This policy applies to all users, including registered members and unregistered visitors browsing public pages. It should be read alongside our Terms of Service and Cookie Policy.
2. Personal data we collect
2.1 Account and authentication data
- Email address — collected at registration; used for authentication, email verification, and service communications.
- Username — a public display name (3–20 characters) chosen by you.
- Password — if you register with email and password, your password is processed by Supabase Auth and stored as a cryptographic hash (bcrypt). We never store or access your password in plain text.
- Google OAuth identity — if you sign in with Google, we receive from Google your email address, display name, and profile picture URL. We do not receive your Google password.
2.2 Profile data (all optional)
- Profile photo (uploaded image, stored in Supabase Storage)
- Cover image (uploaded image, stored in Supabase Storage)
- Bio text (max 160 characters)
- Interests / hobby tags (array of category slugs, max 10)
- Default avatar — if you do not upload a photo, a visual avatar is generated by sending your pseudonymous user ID (a UUID) to DiceBear’s API (api.dicebear.com) as a deterministic seed. See §4 for details.
- Karma points — an engagement score calculated automatically from your activity (posts, comments, votes received).
2.3 Location data — processed with particular care
Location features are entirely voluntary. If you choose to enable them, we collect one of the following depending on your chosen mode:
- By Area (precise): latitude, longitude, search radius (km), and a location label you type (e.g. “Cluj-Napoca”).
- By Country: a country name only; no coordinates are collected or stored.
See §5 for the full location-data section.
2.4 User-generated content
- Posts (title, body text, images, videos)
- Blog articles (title, rich-text content blocks, embedded images)
- Comments on posts and blogs (text, optional image or video)
- Votes (upvote or downvote) on posts, blogs, and comments
- Direct messages — text, images, and videos exchanged privately between users
- Event-chat messages — text, images, and videos within event chat rooms
- Event details created by you (title, description, location, dates, cover image)
- Group requests (name, description, icon)
- Content reports (category, optional description)
- Support tickets (category, message text)
2.5 Social graph and participation data
- Follow relationships (who you follow and who follows you)
- Group memberships (which groups you belong to, join date)
- Event RSVP status (Participating or Maybe) — visible to other event participants
- In-app notifications (actor, action type, related content, read status)
2.6 Technical and performance data
- Core Web Vitals metrics (CLS, FCP, LCP, TTFB, INP) — collected in-browser via the
web-vitalslibrary and sent to our internal analytics endpoint. Each submission also carries:- User-Agent string (browser type and version)
- Referer URL (the page being measured)
- Web Push subscription token — a browser-generated identifier stored when you opt in to push notifications.
- Standard server access logs (IP address, request path, timestamp) — generated by our hosting provider, Vercel, and retained for 30 days.
3. Lawful bases for processing
We process personal data only where a valid lawful basis exists under Article 6 of Regulation (EU) 2016/679 (GDPR) and Romanian Law no. 190/2018.
3.1 Performance of a contract — Art. 6(1)(b)
Processing necessary to provide the Service you requested when you created an account:
- Account creation and authentication
- Profile storage and display to other users
- Publishing posts, blogs, comments, and votes
- Direct and event-chat messaging
- Event creation and RSVP management
- Group membership management
- In-app notification delivery
- Support ticket handling and response
- Data export (“Download My Data”)
- Default avatar generation (your pseudonymous user UUID is sent to DiceBear as a seed to produce a visual avatar on account creation)
3.2 Consent — Art. 6(1)(a)
Processing only where you have freely, specifically, and unambiguously given informed consent:
- Location-based feed filtering — you voluntarily save a location in Settings. You may withdraw consent at any time by removing your location.
- Push notifications — you grant explicit browser-level permission. You may withdraw at any time in Settings → Notifications.
- Performance local cache — feed data is cached in your browser only if you choose “Accept all” in the cookie banner. Choosing “Essential only” disables this cache. You can change your choice by clearing site data.
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
3.3 Legitimate interests — Art. 6(1)(f)
Processing where our legitimate interests — or those of the wider community — are not overridden by your interests, rights, and freedoms:
Performance monitoring (Web Vitals)
Interest: monitoring and improving the technical performance of the Service. Minimal personal data involved (UA string and referrer URL); no profiling; no linkage to user accounts; data retained for [PLACEHOLDER: retention period, e.g. 90 days]. You may object — see §9.
Content moderation and community safety
Interest: operating a safe platform and protecting users from harm. Processing includes reviewing reported content and maintaining moderation records. See §6 for automated moderation.
Fraud and abuse prevention
Interest: detecting and preventing ban evasion, spam, vote manipulation, and other abusive behaviour.
3.4 Legal obligation — Art. 6(1)(c)
- Responding to valid legal orders, judicial proceedings, or law-enforcement requests under Romanian or EU law
- Reporting child sexual abuse material (CSAM) to law enforcement as required by applicable law
4. Sub-processors and data sharing
We share personal data only with the following sub-processors, each bound by a data-processing agreement (DPA) or equivalent instrument. We do not sell personal data, serve targeted advertising, or share data with advertisers or data brokers.
- Purpose: Database, authentication, file storage, real-time subscriptions
- Data received: All personal data categories listed in §2, including location coordinates, messages, and device tokens
- Transfer basis: Data stored exclusively in EU (Ireland); no international transfer
- DPA: Supabase Data Processing Agreement — GDPR-compliant; Row Level Security enforced on all tables
- Purpose: Application hosting and global content delivery
- Data received: Standard HTTP access logs — IP address, request path, User-Agent, timestamp. No application-level personal data is deliberately sent to Vercel.
- Transfer basis: Vercel’s DPA with Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c); EU edge infrastructure processes EU traffic
- Retention: Access logs retained 30 days
- Purpose: OAuth identity verification — only when you choose “Continue with Google”
- Data received: Your Google-account email address, display name, and profile picture URL
- Transfer basis: Google’s SCCs and EU data-processing commitments; Google Ireland Ltd. is the data controller for the OAuth step under Google’s own Privacy Policy
- Note: If you use Google Sign-In, Google’s Privacy Policy applies to Google’s own processing
- Purpose: Generating a default profile avatar when you have not uploaded a custom photo
- Data received: Your pseudonymous user ID (a UUID) as a URL query parameter (
seed=<uuid>). The UUID is not directly personally identifiable without cross-reference to Ciripi’s database. - Transfer basis: [PLACEHOLDER: confirm DiceBear’s jurisdiction and whether a DPA or SCCs are required]
- Note: You can eliminate this transfer at any time by uploading a custom avatar in Settings → Edit Profile
- Purpose: Delivering push notifications to your device (only if you opt in)
- Involved parties: Google (Chrome — FCM), Mozilla (Firefox — Mozilla Push Service), Apple (Safari — APNs), depending on the browser you use
- Data: Notification payloads are end-to-end encrypted with VAPID keys; the browser vendor can see the encrypted payload envelope but cannot read message content
- Transfer basis: Governed by the browser vendor’s own terms; Ciripi has no direct DPA with these vendors for this standard web protocol
5. Location data — special provisions
Because location data can be particularly sensitive, we apply additional safeguards:
- Entirely voluntary. Location features are opt-in. You can use Ciripi fully without providing any location information.
- Not shared with other users. Your precise coordinates are never displayed to or shared with other users. Only you see your saved location in Settings.
- Used only for feed filtering. Coordinates are used server-side to compute which posts and events fall within your chosen radius using standard geodesic distance calculation (Haversine formula). No other use is made of your coordinates.
- Events. When you create an event, the human-readable location label (e.g. “City Park, Timișoara”) that you type is visible to event participants. Any precise coordinates you set for event-location purposes are used only for distance filtering and are not individually disclosed to participants.
- Withdrawable at any time. You may remove your saved location at any time in Settings → Location & Feed. After removal, your coordinates are immediately deleted from our database.
- Lawful basis: Consent (Art. 6(1)(a) GDPR). Withdrawal of consent does not affect the lawfulness of prior processing.
6. Automated decision-making
Ciripi operates an automated text-moderation filter that runs locally in your browser before content is submitted. The filter checks text against a list of prohibited terms and harassment patterns. If triggered, the specific submission is blocked and not sent to our servers; no other action is taken automatically against your account.
This automated measure falls within Article 22(2)(b) GDPR (automated decisions necessary under the contractual terms you accepted). Its only effect is preventing a specific submission from being published; it does not alter your account status, restrict your other rights, or produce any legal effect of significance beyond that single blocked action.
If your content is blocked and you believe this was in error, you have the right to contest the outcome by contacting support@ciripi.com, where a human member of our team will review your case.
Beyond the moderation filter, we do not make solely automated decisions that produce legal or similarly significant effects concerning you.
7. Data retention
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by law.
When you request account deletion, we aim to complete the erasure of identifiable personal data within 30 days. Residual copies in encrypted back-up snapshots are overwritten within the normal back-up rotation cycle.
8. International data transfers
Most personal data remains within the European Economic Area (EEA):
- Supabase stores all data in Ireland (eu-west-1 region) — no international transfer.
- Vercel — access logs may be processed by Vercel Inc. in the United States under Standard Contractual Clauses (SCCs) adopted pursuant to Commission Decision 2021/914/EU.
- Google — OAuth authentication data is processed by Google Ireland Ltd. (EEA entity); any onward transfers by Google are covered under Google’s own SCCs.
- DiceBear — [PLACEHOLDER: confirm jurisdiction and transfer mechanism if outside EEA].
You may request a copy of the applicable transfer safeguards by emailing privacy@ciripi.com.
9. Your rights under GDPR
As a data subject under GDPR and Romanian Law no. 190/2018, you have the following rights. They are not absolute — exceptions apply in limited circumstances permitted by law — but we will respond to every valid request.
Right of access (Art. 15)
Request a copy of the personal data we hold about you. For a structured, machine-readable export, use Settings → Account → Download My Data, which instantly downloads a complete JSON bundle covering your profile, posts, blogs, comments, votes, follows, memberships, event RSVPs, group requests, and support tickets.
Right to rectification (Art. 16)
Correct inaccurate personal data at any time via Settings → Edit Profile or by emailing us.
Right to erasure — “right to be forgotten” (Art. 17)
Request deletion of your account and all associated personal data by emailing privacy@ciripi.com or using Settings → Account → Delete Account. We will complete erasure within 30 days. Certain data may be retained where we have a legal obligation to do so.
Right to restriction of processing (Art. 18)
Ask us to suspend processing of your data in certain circumstances (e.g. while you contest its accuracy). Email us to exercise this right.
Right to data portability (Art. 20)
Receive your data in a structured, commonly used, machine-readable format (JSON) via the Download My Data function in Settings.
Right to object (Art. 21)
Object to processing carried out on the basis of legitimate interests (§3.3), including Web Vitals analytics and content moderation. We will cease that processing unless we demonstrate compelling legitimate grounds that override your interests.
Right not to be subject to solely automated decisions (Art. 22)
As described in §6, our automated content filter has a limited, non-significant effect. You may contest any automated blocking by contacting support@ciripi.com for human review.
Right to withdraw consent (Art. 7(3))
Where processing is based on your consent (location, push notifications, performance cookie cache), you may withdraw at any time via the relevant Settings page or by contacting us. Withdrawal does not affect the lawfulness of prior processing.
10. How to exercise your rights
Email privacy@ciripi.com with your request. We will acknowledge receipt within 3 working days and respond within 30 calendar days. For complex or multiple requests, we may extend this period by a further 60 days with notice.
We may need to verify your identity before acting on a request. We will not charge a fee for reasonable requests; we reserve the right to charge a reasonable fee or refuse manifestly unfounded or excessive requests.
11. Lodging a complaint with ANSPDCP
If you believe we have not handled your personal data in accordance with GDPR or Romanian Law no. 190/2018, you have the right to lodge a complaint with the competent supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, București 010336, România
Website: www.dataprotection.ro
anspdcp@dataprotection.ro
You also have the right to lodge a complaint with the supervisory authority in your EU member state of habitual residence or place of work.
12. Security
We implement technical and organisational measures appropriate to the risk, including:
- HTTPS (TLS) enforced on all connections; HSTS preloading in production
- Passwords processed by Supabase Auth using bcrypt hashing
- Row Level Security (RLS) on all Supabase database tables
- JWT access tokens with short expiry and automatic refresh
- Least-privilege API key scopes (anon key for client; service-role key server-side only)
- Content Security Policy (CSP) with per-request nonces
No system is entirely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in any case within 72 hours of becoming aware, as required by GDPR Art. 34.
13. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account on Ciripi, please contact us at privacy@ciripi.com and we will delete the account and associated data immediately upon verification.
14. Changes to this policy
We may update this policy when the Service changes or when legal requirements change. For material changes we will notify you by email and/or in-app notice at least 30 days before the change takes effect. We will update the “Last updated” date at the top for all changes. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact
For data-protection queries, rights requests, or complaints about our data practices:
- Email: privacy@ciripi.com
- Postal address: [PLACEHOLDER: COMPANY NAME] S.R.L., [PLACEHOLDER: FULL REGISTERED ADDRESS], Timișoara, România