Please read this privacy policy carefully. The privacy policy sets out the rules for the processing of personal data collected and processed during the User's use of the Nevt Application, including with regard to User Accounts, participation in Events and membership and activity in Communities.

1. General provisions

1. This Application privacy policy is for informational purposes only, meaning that it is not a source of obligations for Users of the Application. The privacy policy primarily contains the rules for the processing of personal data by the Administrator in the Application, including the grounds, purposes and period of processing, and the rights of data subjects. This privacy policy also applies to the Website available at https://nevt.app/.
2. The administrator of personal data collected via the Application is Jakub Plata, conducting business under the name JAKUB PLATA SOFTWARE, entered in the Central Register and Information on Economic Activity of the Republic of Poland kept by the minister competent for economic affairs, having place of business and address for correspondence: ul. Seweryna Goszczyńskiego 3/5, 30-724 Kraków, Poland, tax ID (NIP) 7343558314, statistical number (REGON) 380061783, email address: jakub.plata@nevt.app – hereinafter the „Administrator" and simultaneously the Service Provider of the Nevt Application.
3. Personal data in the Application is processed by the Administrator in accordance with applicable law, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter „GDPR" or „GDPR Regulation". The official text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
4. Using the Nevt Application, including making purchases in it, is voluntary. Similarly, the provision of personal data by a User using the Nevt Application is voluntary, subject to two exceptions: (1) concluding the contract – failure to provide, in the cases and scope indicated in the Nevt Application, in the Nevt Application Terms and in this privacy policy, personal data necessary to conclude a contract for the use of the Application or individual Electronic Services (e.g. Account registration, activation of paid access to the Application etc.) will result in the inability to conclude the contract and use the Application's services. The provision of personal data is then a contractual requirement and if the data subject wishes to use a given Electronic Service available in the Application, they are required to provide the data requested. The scope of data required to use specific Application services is indicated in advance in the Nevt Application and in the Nevt Application Terms; (2) the Administrator's statutory obligations – the provision of personal data is a statutory requirement arising from generally applicable provisions of law imposing on the Administrator the obligation to process personal data (e.g. to keep accounting books) and failure to provide them would prevent the Administrator from fulfilling such obligations.
5. The Administrator exercises special care to protect the interests of the data subjects, and in particular is responsible and ensures that the data collected are: (1) processed lawfully; (2) collected for specified, lawful purposes and not subjected to further processing inconsistent with these purposes; (3) substantively correct and adequate in relation to the purposes for which they are processed; (4) stored in a form enabling the identification of the persons concerned, for no longer than is necessary to achieve the purpose of the processing; and (5) processed in a manner ensuring adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
6. Taking into account the nature, scope, context and purposes of processing and the risk of violation of the rights and freedoms of natural persons of varying likelihood and severity, the Administrator implements appropriate technical and organisational measures to ensure that processing takes place in accordance with the GDPR Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Administrator applies technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically.
7. All words, expressions and acronyms occurring in this privacy policy and beginning with a capital letter (e.g. Electronic Service, User, Application) should be understood in accordance with their definition contained in the Nevt Application Terms.

2. Grounds for processing data

1. The Administrator is authorised to process personal data in cases where – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specified purposes; (2) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; (3) the processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) the processing is necessary for the purposes of legitimate interests pursued by the Administrator or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2. The processing of personal data by the Administrator requires in each case the existence of at least one of the grounds indicated in point 2.1 of the privacy policy. The specific grounds for processing the personal data of Users of the Nevt Application by the Administrator are set out in the next section of the privacy policy – in relation to each specific purpose of the Administrator's processing of personal data.

3. Purpose, basis and period of data processing in the app

1. In each case, the purpose, basis and period of processing as well as recipients of personal data processed by the Administrator result from the actions taken by the User in the Application.
2. The Administrator may process personal data in the Application for the following purposes, on the grounds and for the periods indicated in the table below:

Purpose of processing data	Legal basis for processing data	Period of storing data
Performance of the contract for the use of the Application or another contract, or taking actions at the request of the data subject prior to entering into the contract	Article 6(1)(b) of the GDPR Regulation (contract) – processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into the contract	Data is stored for the period necessary for the performance, termination or otherwise expiry of the concluded contract.
Sending commercial information, including direct marketing, using terminal equipment (e.g. email, telephone) or automated calling systems	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, consisting in caring for the interests and good image of the Administrator, its Application, and striving to sell access packages and services, e.g. in connection with the prior consent given by the data subject (e.g. during Newsletter registration) to the sending of commercial information using terminal equipment such as email or telephone, depending on the scope of consent given	Data is stored for the period of the existence of the legitimate interest pursued by the Administrator, but not longer than the period of limitation of the Administrator's claims against the data subject in respect of business activity conducted by the Administrator. The limitation period is set out in law, in particular in the Civil Code (the basic limitation period for claims related to the conduct of business is three years).
Keeping tax books	Article 6(1)(c) of the GDPR Regulation in connection with Article 86 § 1 of the Tax Ordinance, i.e. the Act of 17 January 2017 (Journal of Laws of 2017, item 201, as amended) – processing is necessary to fulfil a legal obligation to which the Administrator is subject	Data is stored for the period required by provisions of law that oblige the Administrator to keep tax books (until the expiry of the limitation period for the tax liability, unless tax acts provide otherwise).
Establishment, pursuit or defence of claims that the Administrator may raise or that may be raised against the Administrator	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator – consisting in the establishment, pursuit or defence of claims that the Administrator may raise or that may be raised against the Administrator	Data is stored for the period of existence of the legitimate interest pursued by the Administrator, but not longer than the limitation period for claims that may be raised against the Administrator (the basic limitation period for claims against the Administrator is six years).
Using the Application and ensuring its proper operation	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator – consisting in operating and maintaining the Application	Data is stored for the period of existence of the legitimate interest pursued by the Administrator, but not longer than the limitation period for the Administrator's claims against the data subject in respect of the Administrator's business activity. The limitation period is set out in law, in particular in the Civil Code (the basic limitation period for claims related to the conduct of business is three years).
Running statistics and analysing traffic in the Application	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator – consisting in running statistics and analysing traffic in the Application to improve the operation of the Application	Data is stored for the period of existence of the legitimate interest pursued by the Administrator, but not longer than the limitation period for the Administrator's claims against the data subject in respect of the Administrator's business activity. The limitation period is set out in law, in particular in the Civil Code (the basic limitation period for claims related to the conduct of business is three years).

4. Data recipients in the app

1. For the proper functioning of the Nevt Application, including the provision of Electronic Services, it is necessary for the Administrator to use the services of external entities (such as software providers, payment service providers). The Administrator uses the services only of such processors as guarantee the implementation of appropriate technical and organisational measures to ensure that processing meets the requirements of the GDPR Regulation and protects the rights of the data subjects.
2. Personal data may be transferred by the Administrator to a third country, whereby the Administrator ensures that in such cases this takes place in accordance with the GDPR Regulation in relation to a country ensuring an adequate level of protection, and in the case of other countries – on the basis of standard data protection clauses, and the data subject has the possibility of obtaining a copy of their data. The Administrator transfers collected personal data only in the case and to the extent necessary to achieve the given purpose of data processing consistent with this privacy policy.
3. Data is not transferred by the Administrator in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Administrator transfers data only when it is necessary to implement a given purpose of personal data processing and only to the extent necessary to achieve it.
4. Personal data of Users of the Nevt Application may be transferred to the following recipients or categories of recipients:
   1. entities handling electronic payments or card payments – in the case of a User who purchases paid functionality in the Application and uses electronic or card payments, the Administrator shares the collected personal data of the User with the selected entity handling the above payments in the Application on the Administrator's behalf, to the extent necessary to handle the payment made by the User.
   2. providers of accounting, legal and advisory services supporting the Administrator in accounting, legal or advisory matters (in particular accounting offices, law firms or debt collection companies) – the Administrator shares the collected personal data of the User with a selected provider acting on the Administrator's behalf only in the case and to the extent necessary to implement the given purpose of data processing consistent with this privacy policy.
   3. service providers supplying the Administrator with technical, IT and organisational solutions enabling the Administrator to operate and maintain the Application and provide Electronic Services (in particular providers of computing for running the Nevt Application, providers of email and hosting services and providers of software for managing the business and providing technical support to the Administrator) – the Administrator shares the collected personal data of the User with a selected provider acting on the Administrator's behalf only in the case and to the extent necessary to implement the given purpose of data processing consistent with this privacy policy.
5. Data visible to other Users of the Application. Due to the social nature of the Application, selected data of the User is visible to other Users to the extent resulting from the User's use of the Application's functionalities. In particular:
   1. profile data (name, photo, description, ratings) is visible to other Users with whom the User interacts (e.g. participation in the same Event, a Mutual Wave, membership in the same Community);
   2. membership in a Community and messages posted on the Community wall are visible only to other members of that Community; the Creator and moderators of a given Community additionally have access to the list of pending join requests, the list of invitations and the list of banned Users within that Community;
   3. basic information about a Community (name, description, tags, location, number of members, join mode, Creator's data) is visible to all logged-in Users of the Application.
   4. photos uploaded to an Event ("Event Photos") are visible to other participants of that Event while the Event is in progress; after the Event is marked as completed, Event Photos are visible to any logged-in User of the Application. The organizer of the Event or its moderators may set or unset any Event Photo as the cover photo of the Event.
   5. photos uploaded to a Community as Memories ("Community Memories") are visible to other members of that Community.
6. Photos uploaded by Users (Event Photos and Community Memories). Before a photo uploaded by a User is stored, the Application removes technical metadata embedded in the file (in particular EXIF data, including any GPS location of capture and device information). The visible image content is preserved as uploaded. Each Event Photo and Community Memory is stored alongside the identifier and display name of the uploading User and the timestamp of upload, so that other Users can attribute the photo and so that the uploader, the Event organizer or a Community moderator can manage it. A User-uploaded photo may be deleted at any time by the uploader, the Event organizer, or a Community moderator (depending on where the photo was uploaded), and the underlying file is permanently removed from the Application's storage shortly after deletion. Any person who is identifiable in a User-uploaded photo and who has not consented to its publication may request its removal using the in-app reporting tools or by contacting the Administrator at the address indicated at the beginning of this privacy policy.
7. Data related to the handling of reports of violations. In connection with the obligation to ensure the safety of Users and the fulfilment of obligations arising from the Digital Services Act, the Administrator retains records of reports of violations and copies of reported content (e.g. messages, Event descriptions, Community wall messages) also after the deletion of the Account of the reporting User or of the User who is the subject of the report, to the extent and for the period necessary to fulfil legal obligations and to establish, pursue or defend claims.

5. Profiling in the app

1. The GDPR Regulation imposes on the Administrator an obligation to inform about automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR Regulation, and – at least in these cases – important information about the principles of their making, as well as the significance and expected consequences of such processing for the data subject. With this in mind, the Administrator provides in this section of the privacy policy information about possible profiling.
2. The Administrator may use profiling in the Application for direct marketing purposes, but decisions taken on its basis by the Administrator do not concern the conclusion or refusal of the conclusion of a contract, or the possibility of using Electronic Services in the Application. The effect of using profiling may be, for example, a reminder to a given person about unfinished actions in the Application, granting a discount, sending an offer that may correspond to the interests or preferences of a given person, or proposing better terms compared to the standard offer of the Application. Despite profiling, it is the person concerned who freely decides whether they wish to use, for example, the received discount or offer.
3. Profiling in the Application consists in an automatic analysis or prediction of the behaviour of a given person within the Nevt Application, e.g. through analysis of the previous history of actions or purchases in the Application. A condition for such profiling is the Administrator's possession of personal data of the person concerned in order to be able to subsequently send, for example, an offer or discount.
4. The data subject has the right not to be subject to a decision that is based solely on automated processing, including profiling, and produces legal effects concerning them or similarly significantly affects them.

6. Rights of the data subject

1. Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the Administrator access to their personal data, their rectification, erasure („the right to be forgotten") or restriction of processing, and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the above rights are set out in Articles 15-21 of the GDPR Regulation.
2. Right to withdraw consent at any time – a person whose data is processed by the Administrator on the basis of the consent given (on the basis of Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation) has the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent before its withdrawal.
3. Right to lodge a complaint with a supervisory authority – a person whose data is processed by the Administrator has the right to lodge a complaint with a supervisory authority in the manner and in the mode specified in the provisions of the GDPR Regulation and Polish law, in particular the Act on the Protection of Personal Data. The supervisory authority in Poland is the President of the Office for Personal Data Protection.
4. Right to object – the data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of personal data concerning them based on Article 6(1)(e) (public interest or public tasks) or (f) (legitimate interest of the Administrator), including profiling on the basis of these provisions. The Administrator shall then no longer process such personal data, unless it demonstrates compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject, or grounds for establishing, pursuing or defending claims.
5. Right to object regarding direct marketing – if personal data are processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.
6. In order to exercise the rights referred to in this section of the privacy policy, the Administrator may be contacted by sending an appropriate message in writing or by email to the Administrator's address indicated at the beginning of the privacy policy.

7. Cookies and analytics

1. Cookies are small pieces of text information in the form of text files sent by the server and saved on the side of the person visiting the nevt.app Website (e.g. on the hard drive of a computer, laptop, or on the smartphone's memory card – depending on the device used by the visitor). Detailed information about cookies and the history of their creation can be found, among others, here: https://en.wikipedia.org/wiki/HTTP_cookie.
2. Cookies that may be sent by a website can be divided into different types, according to the following criteria:

By provider:	By retention period on the device of the person visiting the website:	By purpose of use:
first-party (created by the website) and belonging to third parties (other than the Administrator)	session (stored until leaving the website or closing the web browser) and persistent (stored for a specified time, defined by each file's parameters, or until manual deletion)	necessary (enabling proper operation of the site), functional/preference (enabling adjustment of the site to the preferences of the person visiting the site), analytical and performance (collecting information on how the site is used), marketing, advertising and social (collecting information about the visitor to display ads to that person, personalise them and carry out other marketing activities also on websites separate from the site, such as social networks or other sites belonging to the same advertising network of the Application)

3. The Administrator may process data contained in cookies when visitors use the site for the following specific purposes:

remembering data from completed forms or surveys (necessary or functional/preference cookies)

adjusting the content of the site to individual preferences of Recipients (e.g. concerning colours, font size, page layout) and optimising the use of the site (functional/preference cookies)

running anonymous statistics showing how the site is used (analytical and performance cookies)

displaying and rendering ads, limiting the number of ad impressions and ignoring ads that a given person does not want to see, measuring ad effectiveness, and personalising ads, i.e. examining the behaviour of visitors to the web version of the Application through anonymous analysis of their actions (e.g. repeated visits to particular pages, keywords etc.) to create their profile and provide them with ads tailored to their predicted interests, also when they visit other websites in the Google Ireland Ltd. advertising network (marketing, advertising and social cookies)

4. Checking what cookies are currently sent by the site, regardless of the browser, is possible, for example, using tools available at: https://www.cookiemetrix.pl or https://www.cookie-checker.com.
5. By default, most web browsers available on the market accept storage of cookies. Everyone has the option of specifying the conditions for the use of cookies through their browser settings. This means that, for example, one may partially limit (e.g. temporarily) or completely disable the ability to save cookies – in the latter case, however, this may have an impact on some functionalities of the Application.
6. Browser settings regarding cookies are relevant from the point of view of consent to the use of cookies by the site – according to the provisions, such consent may also be expressed through the settings of the web browser. Detailed information on changing cookie settings and their self-removal in the most popular web browsers is available in the help section of the web browser and on the following pages (just click the link):
   • in the Chrome browser
   • in the Firefox browser
   • in the Opera browser
   • in the Safari browser
   • in the Microsoft Edge browser
7. The Administrator may use Google Analytics and Firebase Analytics services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Administrator maintain statistics, analyse traffic and monitor errors in the operation of the site. Data collected is processed within these services to generate statistics useful in the administration of the site, traffic analysis on the site or to improve service quality and security for persons using the site. This data is of an aggregate nature. The Administrator, using the above services on the site, collects such data as the sources and medium of acquiring visitors to the site and the way of their behaviour on the site, information about the devices from which they visit the site, IP address, geographic data, demographic data (age, gender) and interests.
8. The Firebase tool collects data related, for example, to which category of information is most often read by Users, which functionalities of the Application are more frequently used, how much time Users spend in the Application, how many Users are actively using it in a given period. The Firebase system does not allow identification of individual Users. Thanks to Firebase, information is also collected about possible errors of the Application, which allows the Administrator to work on optimising the Application and improving the functioning of its elements. More information about how Firebase and related tools work is available at: https://firebase.google.com/support/privacy.
9. In connection with the possible use by the Administrator of analytical and advertising services provided by Google Ireland Ltd. on the site, the Administrator indicates that full information on the rules of data processing of persons visiting the Application by Google Ireland Ltd. (including data saved in cookies) can be found in the privacy policy of Google services at: https://policies.google.com/technologies/partner-sites.

8. Final provisions

The Application may contain links to other websites or applications. The Administrator encourages visitors to read the privacy policy established there once they move to other sites. This privacy policy applies only to the Administrator's Application.

Effective date: 30 April 2026