Table of Contents
1. Introduction
This Privacy Policy explains how Jakub Plata Software (the "Data Controller"), operating as a sole proprietorship (JDG) under Polish law, collects, uses, stores, and protects your personal data when you use the Nevt mobile application ("the App").
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679) and applicable Polish data protection law (RODO).
2. Data We Collect
2.1 Account Data
- Name - provided during registration
- Email address - used for authentication and communication
- Password - hashed and managed securely by Firebase Authentication (we never store plaintext passwords)
2.2 Profile Data
- Profile photos - profile picture and additional photos you upload
- Bio - personal description
- Goals - what you're looking for on the platform
- Date of birth - used for age-based event restrictions
- Gender - used for event participant preferences
2.3 Location Data
- Geolocation - used for displaying nearby events on the map and geospatial queries
- Geohash - encoded location data for efficient event discovery
- Location is collected only when you actively use the map feature and with your device permission
2.4 Usage Data
- Events - events you create, join, or save
- Messages - chat messages in event channels and private conversations
- Waves - connection requests you send and receive
- Ratings - likes and unlikes you give or receive, with optional comments
- Experience and level - XP points earned through activity and your calculated level
- Activity statistics - aggregated counts of events organized, completed, joined, and other engagement metrics
- Blocked users - your block list
- Reports - reports you submit about users, events, chats, or ratings, including the report category, optional description, and your identity as the reporter
2.5 Subscription Data
- Subscription status - whether you have a free or premium account
- Subscription type and expiry - managed via RevenueCat
- Subscription period type - whether your current subscription period is a regular paid period, free trial, or introductory offer, used to manage trial eligibility
- We do not store payment card details; payments are handled by Apple App Store and Google Play Store
2.6 Device Data
- Push token - Firebase Cloud Messaging token for delivering push notifications
- Device type - platform information (iOS/Android)
- Device identifier - a platform-specific device ID (iOS: identifierForVendor; Android: androidId) used to prevent registration abuse and enforce account restrictions
2.7 Security & Anti-Abuse Data
- Device registration records - we track which email addresses have been registered on each device to enforce a limit of accounts per device
- IP address - collected temporarily during registration requests for rate limiting purposes; not stored long-term
- Blacklist records - if your account is banned for violating our Terms of Service, your email address and associated device identifiers may be added to a registration blacklist to prevent re-registration
3. Purpose & Legal Basis
We process your personal data based on the following legal grounds under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Providing core app features (events, chat, waves) | Performance of contract (Art. 6(1)(b)) |
| Displaying your profile to other users | Performance of contract (Art. 6(1)(b)) |
| Location-based event discovery | Consent (Art. 6(1)(a)) |
| Sending push notifications | Consent (Art. 6(1)(a)) |
| Processing premium subscriptions | Performance of contract (Art. 6(1)(b)) |
| Enforcing Terms of Service, preventing abuse | Legitimate interest (Art. 6(1)(f)) |
| Device identification, registration limits, and blacklisting to prevent abuse | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Data Retention
- Active accounts: Your data is retained for as long as your account is active.
- Deleted accounts: Upon account deletion, your personal data is permanently removed from our systems immediately by an automated process. Related content (ratings, messages) is anonymized. Some anonymized data may be retained for analytical purposes or as required by law.
- Messages: Event chat messages are retained for the lifetime of the event. When a user leaves a private chat or blocks the other user, messages are soft-deleted and retained for 30 days. If the users re-match within that period, the conversation history is restored. After 30 days without re-matching, private chat messages are permanently deleted by an automated process.
- Backups: Data may persist in system backups for up to 90 days after deletion.
- Reports: All user-submitted and system-generated reports are permanently retained as an immutable audit trail. Reports cannot be deleted, even if the reporter's account is deleted.
- Blacklist & device records: If your account is banned for violating our Terms of Service, your email address and associated device identifiers are retained on the registration blacklist indefinitely to prevent re-registration. Device registration records (mapping device IDs to registered emails) are retained for as long as the device limit policy is in effect, even after account deletion.
5. Third-Party Sharing
We share your data with the following third-party services, which act as data processors:
| Service | Purpose | Data Shared |
|---|---|---|
| Firebase / Google Cloud | Authentication, database, storage, cloud functions | Account data, profile data, messages, photos |
| Firebase Cloud Messaging | Push notifications | Push token, notification content |
| RevenueCat | Subscription management | User ID, subscription status |
| Apple App Store / Google Play Store | In-app purchases and payment processing | Purchase transactions (handled by the stores) |
We do not sell your personal data to third parties. We do not share your data with advertisers.
6. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) - Request a copy of your personal data.
- Right to rectification (Art. 16) - Request correction of inaccurate data. You can update most data directly in the App.
- Right to erasure (Art. 17) - Request deletion of your data ("right to be forgotten"). You can delete your account in the App settings.
- Right to restriction of processing (Art. 18) - Request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to its processing.
- Right to data portability (Art. 20) - Request your data in a structured, machine-readable format.
- Right to object (Art. 21) - Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) - Withdraw consent at any time for consent-based processing (e.g., location, notifications).
- Right to lodge a complaint - You may file a complaint with the Polish supervisory authority: Prezes Urzedu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.
To exercise your rights, contact us at jakub.plata@nevt.app. We will respond within 30 days.
7. Children
Nevt is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a user under 18, we will take steps to delete their account and associated data promptly.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (HTTPS/TLS)
- Secure password hashing via Firebase Authentication
- Access control and authentication for database operations (Firestore Security Rules)
- Regular security reviews of our codebase and infrastructure
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
9. International Transfers
Your data is processed by Firebase/Google Cloud, which may store and process data in data centers located outside the European Economic Area (EEA). Google provides appropriate safeguards for international data transfers through Standard Contractual Clauses (SCCs) and compliance with applicable data protection frameworks.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes through the App or via email. The "Effective date" at the bottom of this page indicates when the latest version took effect. Your continued use of the App after changes are published constitutes acceptance of the updated policy.
11. Contact
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Data Controller: Jakub Plata Software
- Address: Seweryna Goszczyńskiego 3/5 Kraków 30-724
- NIP (Tax ID): 7343558314
- Email: jakub.plata@nevt.app
Effective date: March 5, 2026