Your Data Protection Rights
- GDPR Coverage: Under the General Data Protection Regulation (GDPR), you have specific rights regarding your personal data.
- Scope: These rights apply to EU residents using our website and mobile application, though data practices differ between platforms.
- Mobile App: The StayStat mobile app processes location data locally and collects anonymous crash reports (with consent).
- Website: Our website uses standard cookies and processes contact form submissions through Formspree.
- Commitment: We are committed to respecting and facilitating the exercise of these rights across both platforms.
Right of Access (Article 15)
- What it means: You can request confirmation that we process your data and access to that data.
- Information provided: Categories of data, processing purposes, recipients, retention periods.
- How to exercise: Email us at [email protected] with your request.
- Response time: We will respond within one month of receiving your request.
Right to Rectification (Article 16)
- What it means: You can request correction of inaccurate or incomplete personal data.
- Mobile app: Most data can be corrected directly within the app settings.
- Website data: Contact us to correct any information we may have collected.
- Verification: We may ask for verification before making corrections to ensure data accuracy.
Right to Erasure - "Right to be Forgotten" (Article 17)
- What it means: You can request deletion of your personal data under certain conditions.
- Mobile app data: Delete the app from your device to remove all locally stored travel data. Your data is stored using Core Data and Keychain on-device.
- Crash reports: Disable crash reporting in app settings to stop future collection. Existing reports are anonymous and handled by Firebase Crashlytics retention policies.
- Website data: Request deletion of any data we may have collected through our website contact forms.
- Limitations: Anonymous crash data may be retained for technical purposes according to Firebase policies.
Right to Restrict Processing (Article 18)
- What it means: You can request that we limit how we process your data.
- When available: If you contest data accuracy, object to processing, or if processing is unlawful.
- Effect: We will store but not actively process the data until issues are resolved.
- Notification: We will inform you before lifting any processing restrictions.
Right to Data Portability (Article 20)
- What it means: You can receive your data in a structured, machine-readable format.
- Mobile app: Export features within the app allow you to download your travel data.
- Formats available: PDF, CSV, or other structured formats as technically feasible.
- Scope: Applies to data you provided and that we process automatically.
Right to Object (Article 21)
- What it means: You can object to processing based on legitimate interests or direct marketing.
- Marketing: We do not engage in direct marketing, but you can object if this changes.
- Analytics: You can object to website analytics through browser settings or ad-blockers.
- Balancing test: We will stop processing unless we have compelling legitimate grounds.
Right to Withdraw Consent
- What it means: You can withdraw consent for processing that relies on your consent.
- Mobile app: Revoke location permissions through device settings to withdraw location consent.
- Website: Clear cookies or adjust browser settings to withdraw website consent.
- Effect: Withdrawal does not affect the lawfulness of past processing.
Automated Decision-Making Rights (Article 22)
- Current practices: StayStat does not use automated decision-making with legal effects.
- Algorithm transparency: Our app uses simple algorithms for travel tracking, not profiling.
- Future changes: We will notify you if we implement automated decision-making features.
- Your rights: Right to human intervention, explanation, and challenge of automated decisions.
How to Exercise Your Rights
- Email us: Send requests to [email protected]
- Include details: Specify which right you want to exercise and provide sufficient identification.
- Verification: We may ask for additional information to verify your identity.
- No charge: Exercising your rights is free, except for excessive or unfounded requests.
Data Controller Information
- Data Controller: STAYSTAT
- Location: Montreal, Quebec, Canada
- Contact: [email protected]
- EU Representative: Not required as we do not regularly offer goods/services to EU residents
Legal Bases for Data Processing
Under GDPR Article 6, we process your personal data based on the following legal grounds:
| Data Type |
Purpose |
Legal Basis |
| Precise Location |
Country change detection, travel notifications |
(a) Consent (iOS permission prompt) |
| Crash Data |
App stability and reliability improvements |
(a) Consent (Opt-in, disabled by default) |
| Device Identifier |
Crash diagnostics, app reliability |
(f) Legitimate Interest (LIA: stability outweighs impact) |
| Camera/Photos |
Boarding pass scanning (on-device OCR) |
(a) Consent (iOS permission prompt) |
| Biometric Data |
App security (Face ID/Touch ID) |
(a) Explicit Consent (Art. 9(2)(a) - special category) |
| User Preferences |
App functionality (settings, themes) |
(f) Legitimate Interest (LIA: necessary for basic features) |
- Consent: You can withdraw consent at any time through iOS Settings or in-app privacy controls.
- Legitimate Interest: We have conducted Legitimate Interest Assessments (LIAs) balancing our interests against your rights.
- Special Category Data: Biometric data (Face ID/Touch ID) is processed by iOS Secure Enclave, not directly accessed by our app.
Supervisory Authority
- Right to complain: You have the right to lodge a complaint with a data protection authority.
- EU Residents: Contact your national supervisory authority listed at edpb.europa.eu
- UK Residents: Information Commissioner's Office (ICO) - ico.org.uk
- Canadian Residents: Office of the Privacy Commissioner (OPC) - priv.gc.ca
- Cross-border processing: You may also contact the authority where you believe a violation occurred.
- Before complaining: We encourage you to contact us first at [email protected] to resolve any concerns.
Data Retention
- Mobile app travel data: Stored locally on your device using encrypted Core Data and Keychain; automatically deleted when you uninstall the app.
- Location data: Used only for real-time country detection and processed entirely on-device; not transmitted or stored remotely.
- Crash reports: Anonymous crash data retained by Firebase Crashlytics according to Google's data retention policies (typically 90 days).
- Website analytics: Anonymous website usage data retained for up to 26 months for analytics purposes.
- Contact form data: Processed through Formspree and not permanently stored by us.
International Data Transfers
- United States (Firebase Crashlytics): Anonymous crash data may be transferred to Firebase (Google LLC) in the United States.
- Legal Mechanism: Standard Contractual Clauses (SCCs) approved by EU Commission Decision 2021/914.
- Google Cloud Data Processing Terms: Available at cloud.google.com/terms/data-processing-addendum
- Supplementary Measures: AES-256 encryption, access controls, and limited data retention (90 days) ensure Schrems II compliance.
- Data Location: Crash reports stored in Google Cloud data centers in the United States.
- No Other Transfers: All other app data (travel entries, location, preferences) is stored locally on your device and never transmitted.
- Your Rights: You can request a copy of the SCCs or opt out of crash reporting entirely in app settings.
Contact for Data Protection Inquiries
- Privacy Officer: [email protected]
- General Support: [email protected]
- Response Time: We aim to respond to all privacy inquiries within one month.
- Complex Requests: Response time may be extended to three months for complex requests.