1. Data Controller
Jakub Rosiak, Igor Szafarowicz,
ul. Twarda 14/16, 00-824 Warsaw,
email: contact@zoneapp.io.
2. What data we process
User-provided data: name, age, height, gender, profile photos, your preferences for the gender of people you want to meet, and the languages you want to use in Zones.
Technical data: account/device identifier, timestamps, notification settings.
Location data (Zones feature): precise GPS location used when entering a Zone and periodically in the background during an active Zone session to confirm that you are inside the Zone.
Note on sensitive data: gender preferences may reveal sexual orientation (a special category of data). If you choose to provide this data, you consent to our use of it as described in this Privacy Policy. You can withdraw that consent by emailing contact@zoneapp.io.
3. Purposes and legal bases
Providing the service (creating a profile, Zone matching, notifications, including checking location when entering a Zone and periodically in the background while you remain in the Zone): Article 6(1)(b) GDPR (necessary for performance of the contract). If you decide to provide this data, you consent to our use of it as described in this Privacy Policy.
Safety and abuse prevention (fraud prevention, photo moderation, handling reports): Article 6(1)(f) GDPR (legitimate interest in ensuring the security and integrity of the service; data minimization).
Direct marketing via electronic means - only with separate consent: Article 6(1)(a) GDPR.
Website analytics - after your consent, we use Google Analytics 4 to prepare aggregated website traffic statistics, measure clicks on key actions, and understand the general effectiveness of the website. Consent is voluntary; you can accept it, reject it, or change your choice later through the cookie settings available in the website footer.
4. How location processing works in Zones
Location is read from your device when you enter a Zone and periodically (at short intervals) only while the Zone is active on your account.
We do not build a continuous movement history. On the server side we only store "Zone entry/exit" events (timestamp, Zone ID, and account ID) needed for the service and security.
You control location permissions in your device/system settings; turning location off disables the Zones feature.
5. Data recipients
Processors acting on our behalf: hosting/cloud providers, app maintenance providers, analytics tools with limited scope (including Google Analytics 4 for the website, only after consent), push notification providers, and content moderation tools - only to the extent necessary to provide the service; authorities empowered by law. For App Store/Google Play payments, the store operators are separate controllers of payment data; Zone does not receive card details.
6. Transfers outside the EEA
If data is transferred outside the EEA (for example to IT providers), we use appropriate legal safeguards, including Standard Contractual Clauses. Information about such transfers is available on request.
7. Retention period
Profile data: for the duration of the contract (while the account exists).
Zone events (entry/exit): up to 30 days.
Backup data: up to 30 days.
Data needed to establish, pursue, or defend claims: until the limitation periods expire. The
data-minimization principle applies.
Temporary chat messages: retained for up to 24 hours after the session ends; safety metadata - up
to 30 days.
8. Your rights
Access, rectification, erasure, restriction, portability, objection (where processing is based on legitimate interest), and withdrawal of consent at any time (without affecting the lawfulness of processing carried out before withdrawal).
9. Requirement to provide data
Providing the data listed in section 2 is voluntary, but necessary to create a profile and use the Zones feature (location is required for Zones to work). If you do not provide it, we will not be able to provide the service in that scope. You also have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO).
10. Security
We use appropriate technical and organizational measures, including encrypted transmission, access control, security testing, and location-scope minimization logic.
11. Changes
We publish the current version of the Policy on the website; material changes are communicated directly in the app and by email.