GDPR Compliance

Last Updated:

Your Data Protection Rights

  • GDPR Coverage: Under the General Data Protection Regulation (GDPR), you have specific rights regarding your personal data.
  • Scope: These rights apply to EU residents using our website and mobile application, though data practices differ between platforms.
  • Mobile App: The StayStat mobile app processes location data locally and collects anonymous crash reports (with consent).
  • Website: Our website uses standard cookies and processes contact form submissions through Formspree.
  • Commitment: We are committed to respecting and facilitating the exercise of these rights across both platforms.

Right of Access (Article 15)

  • What it means: You can request confirmation that we process your data and access to that data.
  • Information provided: Categories of data, processing purposes, recipients, retention periods.
  • How to exercise: Email us at [email protected] with your request.
  • Response time: We will respond within one month of receiving your request.

Right to Rectification (Article 16)

  • What it means: You can request correction of inaccurate or incomplete personal data.
  • Mobile app: Most data can be corrected directly within the app settings.
  • Website data: Contact us to correct any information we may have collected.
  • Verification: We may ask for verification before making corrections to ensure data accuracy.

Right to Erasure - "Right to be Forgotten" (Article 17)

  • What it means: You can request deletion of your personal data under certain conditions.
  • Mobile app data: Delete the app from your device to remove all locally stored travel data. Your data is stored using Core Data and Keychain on-device.
  • Crash reports: Disable crash reporting in app settings to stop future collection. Existing reports are anonymous and handled by Firebase Crashlytics retention policies.
  • Website data: Request deletion of any data we may have collected through our website contact forms.
  • Limitations: Anonymous crash data may be retained for technical purposes according to Firebase policies.

Right to Restrict Processing (Article 18)

  • What it means: You can request that we limit how we process your data.
  • When available: If you contest data accuracy, object to processing, or if processing is unlawful.
  • Effect: We will store but not actively process the data until issues are resolved.
  • Notification: We will inform you before lifting any processing restrictions.

Right to Data Portability (Article 20)

  • What it means: You can receive your data in a structured, machine-readable format.
  • Mobile app: Export features within the app allow you to download your travel data.
  • Formats available: PDF, CSV, or other structured formats as technically feasible.
  • Scope: Applies to data you provided and that we process automatically.

Right to Object (Article 21)

  • What it means: You can object to processing based on legitimate interests or direct marketing.
  • Marketing: We do not engage in direct marketing, but you can object if this changes.
  • Analytics: You can object to website analytics through browser settings or ad-blockers.
  • Balancing test: We will stop processing unless we have compelling legitimate grounds.

Right to Withdraw Consent

  • What it means: You can withdraw consent for processing that relies on your consent.
  • Mobile app: Revoke location permissions through device settings to withdraw location consent.
  • Website: Clear cookies or adjust browser settings to withdraw website consent.
  • Effect: Withdrawal does not affect the lawfulness of past processing.

Automated Decision-Making Rights (Article 22)

  • Current practices: StayStat does not use automated decision-making with legal effects.
  • Algorithm transparency: Our app uses simple algorithms for travel tracking, not profiling.
  • Future changes: We will notify you if we implement automated decision-making features.
  • Your rights: Right to human intervention, explanation, and challenge of automated decisions.

How to Exercise Your Rights

  • Email us: Send requests to [email protected]
  • Include details: Specify which right you want to exercise and provide sufficient identification.
  • Verification: We may ask for additional information to verify your identity.
  • No charge: Exercising your rights is free, except for excessive or unfounded requests.

Data Controller Information

Legal Bases for Data Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Data Type Purpose Legal Basis
Precise Location Country change detection, travel notifications (a) Consent (iOS permission prompt)
Crash Data App stability and reliability improvements (a) Consent (Opt-in, disabled by default)
Device Identifier Crash diagnostics, app reliability (f) Legitimate Interest (LIA: stability outweighs impact)
Camera/Photos Boarding pass scanning (on-device OCR) (a) Consent (iOS permission prompt)
Biometric Data App security (Face ID/Touch ID) (a) Explicit Consent (Art. 9(2)(a) - special category)
User Preferences App functionality (settings, themes) (f) Legitimate Interest (LIA: necessary for basic features)
  • Consent: You can withdraw consent at any time through iOS Settings or in-app privacy controls.
  • Legitimate Interest: We have conducted Legitimate Interest Assessments (LIAs) balancing our interests against your rights.
  • Special Category Data: Biometric data (Face ID/Touch ID) is processed by iOS Secure Enclave, not directly accessed by our app.

Supervisory Authority

  • Right to complain: You have the right to lodge a complaint with a data protection authority.
  • EU Residents: Contact your national supervisory authority listed at edpb.europa.eu
  • UK Residents: Information Commissioner's Office (ICO) - ico.org.uk
  • Canadian Residents: Office of the Privacy Commissioner (OPC) - priv.gc.ca
  • Cross-border processing: You may also contact the authority where you believe a violation occurred.
  • Before complaining: We encourage you to contact us first at [email protected] to resolve any concerns.

Data Retention

  • Mobile app travel data: Stored locally on your device using encrypted Core Data and Keychain; automatically deleted when you uninstall the app.
  • Location data: Used only for real-time country detection and processed entirely on-device; not transmitted or stored remotely.
  • Crash reports: Anonymous crash data retained by Firebase Crashlytics according to Google's data retention policies (typically 90 days).
  • Website analytics: Anonymous website usage data retained for up to 26 months for analytics purposes.
  • Contact form data: Processed through Formspree and not permanently stored by us.

International Data Transfers

  • United States (Firebase Crashlytics): Anonymous crash data may be transferred to Firebase (Google LLC) in the United States.
  • Legal Mechanism: Standard Contractual Clauses (SCCs) approved by EU Commission Decision 2021/914.
  • Google Cloud Data Processing Terms: Available at cloud.google.com/terms/data-processing-addendum
  • Supplementary Measures: AES-256 encryption, access controls, and limited data retention (90 days) ensure Schrems II compliance.
  • Data Location: Crash reports stored in Google Cloud data centers in the United States.
  • No Other Transfers: All other app data (travel entries, location, preferences) is stored locally on your device and never transmitted.
  • Your Rights: You can request a copy of the SCCs or opt out of crash reporting entirely in app settings.

Contact for Data Protection Inquiries

  • Privacy Officer: [email protected]
  • General Support: [email protected]
  • Response Time: We aim to respond to all privacy inquiries within one month.
  • Complex Requests: Response time may be extended to three months for complex requests.

Last updated:

Back to Home