Data & privacy

Privacy Policy

How glunie collects, stores, and uses personal data across the app, moderation flows, and supporting services.

This policy is the working reference for what we collect, why we process it, how long we keep it, and how to contact us about privacy rights or requests.

Effective date: February 10, 2026 Last updated: February 10, 2026

1. Who We Are

glunie ("we", "us", "our") provides an application for discovering gluten-free places and products.

Data controller contact:

  • Email: available via reveal control at the bottom of this page
  • Website: https://glunie.app
  • Postal address: Jana Pestalozziego 8a/4, 85-095 Bydgoszcz, Poland
  • EU representative (Article 27 GDPR): Devonate Marcin Gierach
  • UK representative (Article 27 UK GDPR): Devonate Marcin Gierach

Replace the contact details above with your official legal contact details before publishing.

2. Scope

This Privacy Policy explains how we collect, use, store, and share personal data when you use:

  • the glunie web app,
  • related services, APIs, and moderation features.

3. Data We Collect

3.1 Account and profile data

  • Email address
  • Username / display name
  • Authentication provider metadata
  • Optional profile image
  • Language and app preferences

3.2 User-generated content

  • Places, ratings, comments, and photo uploads
  • Reactions, favorites, and notification subscriptions
  • Moderation notes and decisions (admin/moderator actions)

3.3 Technical and usage data

  • IP-derived data where necessary for security and abuse prevention
  • Session/authentication events
  • Device/browser metadata, logs, and error diagnostics

3.4 Location-related data

  • Approximate or precise location only when you grant permission in your browser/app settings
  • We use this to show nearby places and distance-based features

4. How We Use Data

We process personal data to:

  • provide app functionality,
  • authenticate users and secure accounts,
  • detect abuse/fraud and enforce community rules,
  • moderate user content,
  • improve reliability and product quality,
  • send in-app notifications related to activity and moderation outcomes,
  • comply with legal obligations.

5. Legal Bases (GDPR)

Depending on your jurisdiction, we rely on:

  • Contract performance (providing the service you requested)
  • Legitimate interests (security, moderation, product improvement)
  • Consent (e.g., optional location access)
  • Legal obligation (when required by law)

6. Service Providers, Processors, and DPA Terms

We use trusted providers to operate the app, including:

  • Supabase (database, authentication, storage)
  • Google Maps Platform (places/search/map services)
  • Cloudflare Turnstile (bot/abuse protection)
  • Google Analytics (aggregated usage and traffic analytics)

These providers may process data under their own privacy terms and data processing agreements.

Where required, we maintain data processing agreements (DPAs) with processors that handle personal data on our behalf, including appropriate confidentiality, security, and subprocessor obligations.

7. Data Retention

We retain personal data only as long as needed for the purposes described above, including:

  • account lifecycle and user-requested functionality,
  • moderation/audit needs,
  • legal and security requirements.

When data is no longer required, we delete or anonymize it, subject to legal constraints.

8. User Rights

Subject to applicable law, you may have rights to:

  • access your data,
  • correct inaccurate data,
  • delete your data,
  • restrict or object to processing,
  • data portability,
  • withdraw consent where processing relies on consent.

To exercise rights, use the privacy contact reveal control on this page.

9. Account Deletion

If you delete your account:

  • account-linked personal profile data is removed or anonymized per our retention rules,
  • some user-generated content may remain where necessary for platform integrity, safety, and auditability (for example, place records may remain while personal attribution is minimized).

10. International Transfers

If your data is processed outside the UK/EEA or your country, we apply appropriate safeguards as required by applicable law.

For UK/EU transfers, safeguards may include:

  • European Commission Standard Contractual Clauses (SCCs),
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs,
  • transfer risk assessments and supplementary technical/organizational measures where needed.

11. Children

The service is not intended for children under the age required by local law to provide consent for data processing.

12. Security

We use technical and organizational measures to protect personal data, including access controls, authentication safeguards, and moderation/security procedures. No system is 100% secure.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and, where required, provide additional notice.

14. Contact

Privacy questions and requests:

  • Email: use the privacy contact reveal control at the bottom of this page.
  • EU representative contact: Devonate Marcin Gierach
  • UK representative contact: Devonate Marcin Gierach

15. Anti-Spam and Abuse Protection

To protect our contact channels and users, we use anti-spam and anti-abuse controls (including bot protection where applicable). Automated scraping, bulk unsolicited messages, and abusive submissions may be blocked or filtered.