Privacy Policy and Data Protection (GDPR)

Working draft · last updated: 25 June 2026 · Effective from: —

This Privacy Policy explains how RIDOA Sp. z o.o. processes the personal data of users who use our digital products — mobile applications (iOS/Android), SaaS software, and websites published under the RIDOA brand (including Barvea, Zapp, AutoPolar, and ClimaBox). This document describes the purposes and legal bases for processing, the categories of data, the recipients, the retention periods, and the rights available to data subjects, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and the Polish Personal Data Protection Act of 10 May 2018.

Note: this document is a working draft and is not yet a binding, effective version. The final content, the effective dates, and the scope of processing will be confirmed after internal legal approval.

Fully local products (e.g. AutoPolar). Some of our applications — in particular AutoPolar — have been designed on a “privacy-first” model: they operate without user accounts, without the cloud, and without collecting data. Data (e.g. polars, configurations, data from the NMEA 0183 / SignalK bus) remains solely on the user’s device and is not transmitted to RIDOA. To the extent that a given application does not transfer any personal data to the Controller, the provisions of this Policy concerning processing by RIDOA apply only as appropriate and to the extent necessary (e.g. to the distribution of the application via the Apple/Google stores or to handling correspondence addressed to us). In each case, the decisive description is the processing description of the given application made available in the app store (the “App Privacy” section) and the information provided within the application itself.

§ 1. Data Controller and contact details

The controller of personal data within the meaning of Article 4(7) GDPR is:

In all matters relating to the processing of personal data and to the exercise of the rights referred to in § 7 of this Policy, you may contact the Controller in writing at its registered office address or electronically at kontakt@ridoa.house.

Data Protection Officer (DPO). As at the date of preparation of this Policy, the Controller was not required to appoint a data protection officer within the meaning of Article 37 GDPR and has not appointed one. If a DPO is appointed, their contact details (including a dedicated e-mail address) will be made available in this Policy and on the pages of our products. Until a DPO is possibly appointed, all correspondence on data protection matters should be directed to kontakt@ridoa.house.

This Policy is common to all RIDOA products. Depending on which product (application, SaaS service, or website) the user uses, the actual scope of the data processed may be narrower than described below — we process only the data necessary for the operation of the given product.

§ 2. What data we process

The scope of the data processed depends on the product and on how it is used. Depending on the case, we may process the following categories of data:

2.1. Account data and identification data

In products requiring registration (e.g. SaaS services or applications with social features): e-mail address, login/username, password (stored as an encrypted hash), optionally first and last name or display name, language and account settings, and account identifier. In products operating without accounts (e.g. AutoPolar), we do not process data in this category.

2.2. Data generated by the application (content and usage data)

Data entered or produced while using the application, e.g. saved configurations, settings, content, exported/imported files (e.g. .pol, .csv files) and — in mapping or navigation applications — location data and data from sensors/measurement buses (e.g. NMEA 0183 / SignalK). In applications such as AutoPolar, this data is processed locally on the device and is not transmitted to RIDOA; in cloud products, data may be stored on our backend infrastructure for the purpose of providing the service (synchronization, backup).

2.3. Location data

In applications that offer location-dependent features (maps, navigation, event geolocation), we may process device location data. Access to location is enabled on the basis of a system permission granted by the user at the operating-system level (iOS/Android), which can be revoked at any time in the device settings. In locally operating applications, location data is used solely on the device and does not reach RIDOA.

2.4. Technical data and device data

Data necessary for the proper and secure operation of the product and for its diagnostics, e.g.: device type and model, operating-system version, application version, technical device/installation identifiers, language and regional settings, IP address, crash data (diagnostic logs and error reports), and technical events. The scope of this data may be reduced to a minimum in privacy-focused applications.

2.5. Payment and purchase data

In paid products or products offering in-app purchases (in-app purchase, subscriptions): information about the purchase, the subscription status, the transaction identifier, and the validity period. We do not collect or store full payment data (e.g. card numbers) — payments are processed and settled by payment operators and app stores (Apple App Store, Google Play), which in this respect are separate controllers or entities providing payment services.

2.6. Correspondence and support data

Data provided in correspondence addressed to us (e.g. e-mail address, the content of the request, and data necessary to provide a response or to handle a complaint).

Draft: the final catalogue of the categories of data processed will be specified separately for each product at the legal approval stage and in the “App Privacy” cards in the Apple/Google stores.

§ 3. Purposes and legal bases for processing

We process personal data solely for specified, lawful purposes, on the following legal bases under Article 6 GDPR:

• Providing the service and performing the contract (creating and maintaining an account, providing application/service features, processing purchases and subscriptions, technical support) — Article 6(1)(b) GDPR (processing necessary for the performance of a contract or to take steps prior to entering into a contract).
• Features requiring consent (e.g. certain marketing notifications, optional analytics or personalized content, access to specific data with a system permission) — Article 6(1)(a) GDPR (consent of the data subject). Consent may be withdrawn at any time; withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Legal obligations of the Controller (tax and accounting settlements, handling of complaints and withdrawals, responses to requests from authorized authorities) — Article 6(1)(c) GDPR (compliance with a legal obligation).
• Legitimate interest of the Controller (ensuring the security and continuity of operation, preventing abuse and fraud, diagnostics and improving product quality, establishing or defending claims, conducting correspondence, marketing of our own products to the extent permitted by law) — Article 6(1)(f) GDPR (legitimate interest of the Controller or a third party).

In every case where processing is based on Article 6(1)(f) GDPR, we carry out a balancing test, taking into account the rights and freedoms of data subjects. The data subject has the right to object (see § 7).

§ 4. Data recipients and processors

Personal data may be disclosed only to entities that process it on our behalf under data processing agreements (Article 28 GDPR) or that act as separate controllers in respect of their own services. The categories of recipients include in particular:

• Infrastructure and hosting providers — entities providing servers, data storage, and service maintenance (including backend infrastructure providers, e.g. Supabase, and hosting and data-center providers).
• App stores — Apple (App Store) and Google (Google Play) in respect of application distribution, purchase verification, subscription handling, and system notifications; these entities act as separate controllers with regard to the data collected within user accounts in those stores.
• Payment operators — providers of payment services and of in-app purchase settlement mechanisms that handle transactions.
• Providers of analytics and diagnostic tools — tools for application stability analysis, error reporting, and (to the extent covered by consent) usage statistics.
• Communication service providers — e.g. e-mail providers and notification delivery systems.
• Entities providing legal, accounting, and advisory services — to the necessary extent.
• Authorized public authorities — where the obligation to disclose arises from legal provisions.

With regard to fully local products (e.g. AutoPolar), RIDOA does not disclose any usage data to recipients, because such data does not leave the device. The only entities involved in the distribution of such an application are the Apple/Google stores, acting under their own privacy policies.

§ 5. Transfers of data outside the European Economic Area (EEA)

As a rule, we aim to process data within the EEA. However, if the use of the services of certain providers (e.g. infrastructure providers, analytics tools, or app stores) involves the transfer of data to a third country (outside the EEA), such transfer takes place only with the application of appropriate safeguards provided for in Chapter V of the GDPR, in particular:

• on the basis of a European Commission decision finding an adequate level of protection (an adequacy decision) — Article 45 GDPR; or
• on the basis of standard contractual clauses (SCC) approved by the European Commission — Article 46(2)(c) GDPR, supplemented where necessary by additional technical and organizational measures; or
• on the basis of other permissible mechanisms provided for in the GDPR (e.g. binding corporate rules or the applicable derogations under Article 49 GDPR).

Information about the safeguards applied and, where applicable, a copy of the relevant documents can be obtained by contacting the Controller at kontakt@ridoa.house.

§ 6. Data retention periods

We retain personal data for no longer than is necessary to achieve the purposes for which it was collected, after which we delete or anonymize it. We apply the following principles:

• Account data and service-related data — for the period of holding the account / using the service, and after its termination for the period necessary to settle the service and until the expiry of the limitation periods for claims.
• Data processed on the basis of consent — until consent is withdrawn or the purpose of processing ceases.
• Billing and accounting data — for the period required by tax and accounting regulations (as a rule, up to 5 years counted from the end of the year in which the tax obligation arose).
• Data processed for the purpose of establishing or defending claims — until the expiry of the relevant limitation periods.
• Diagnostic data and technical logs — for the period necessary to ensure security and diagnostics, usually for a short period.

In the case of locally operating products (e.g. AutoPolar), the retention period of the data on the device is decided solely by the user — the data can be deleted at any time within the application or by uninstalling it.

§ 7. Rights of the data subject

The data subject has the following rights under the GDPR:

• the right of access to data and to obtain a copy thereof (Article 15 GDPR);
• the right to rectification of inaccurate data or completion of incomplete data (Article 16 GDPR);
• the right to erasure of data (the “right to be forgotten”) — in the cases specified in Article 17 GDPR;
• the right to restriction of processing (Article 18 GDPR);
• the right to data portability for data processed by automated means on the basis of consent or a contract (Article 20 GDPR);
• the right to object to processing based on legitimate interest, including objection to direct marketing (Article 21 GDPR);
• the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal (Article 7(3) GDPR).

To exercise the above rights, please contact the Controller at kontakt@ridoa.house. We respond to requests without undue delay, as a rule within one month of their receipt; if necessary, this period may be extended in accordance with Article 12(3) GDPR. The exercise of rights is, as a rule, free of charge; in the case of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act (Article 12(5) GDPR).

Right to lodge a complaint with a supervisory authority. The data subject has the right to lodge a complaint with a supervisory authority, which in Poland is the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, if they consider that the processing of their data infringes the provisions of the GDPR.

§ 8. Automated decision-making and profiling

The Controller does not make decisions concerning users based solely on automated processing (including profiling) that would produce legal effects concerning them or similarly significantly affect them within the meaning of Article 22 GDPR. If we introduce such processes in the future, we will inform you of this, providing the rules of their operation, their significance, and the envisaged consequences, and we will ensure appropriate rights, including the right to obtain human intervention, to express one’s own point of view, and to contest the decision.

§ 9. Children’s data

Our products are not directed at children under 16 years of age, and we do not knowingly collect their personal data. If the use of a particular service requires consent and the user has not reached the age required by law (in Poland — 16 years, Article 8 GDPR in conjunction with Article 8 of the Personal Data Protection Act), processing on the basis of consent is permissible only with the consent or authorization of the person holding parental responsibility or guardianship. If we become aware that we are processing a child’s data without the required consent, we will delete such data without delay. Guardians who believe that a child has provided us with data may contact us at kontakt@ridoa.house.

§ 10. Cookies and similar technologies

Our websites and, to a limited extent, our applications may use cookies and similar technologies (e.g. local device storage, technical identifiers). Detailed information about the types of cookies, the purposes of their use, the retention periods, and how to manage consents can be found in a separate Cookie Policy. Locally operating applications (e.g. AutoPolar) as a rule do not use cookies or trackers.

§ 11. Data security

We apply appropriate technical and organizational measures ensuring the security of the data processed, adequate to the risk, in accordance with Article 32 GDPR, including, among others: encryption of data transmission (TLS), access control and authentication, pseudonymization and data minimization where possible, regular updates, and the principle that data is processed only by authorized persons. The architecture of our products incorporates the principles of data protection by design and data protection by default (privacy by design and privacy by default, Article 25 GDPR) — reflected, among others, in products that operate without accounts and without the cloud, in which data remains on the user’s device.

§ 12. Changes to the Privacy Policy

The Controller may update this Policy, in particular in the event of changes in the law, the introduction of new features or products, or changes to the data processing rules. We will inform you of material changes in an appropriate manner (e.g. by a notice in the application, on the website, or by e-mail), with appropriate advance notice. The current version of the Policy, together with the date of its publication and the date of its entry into force, is always available in our services and applications. Use of the products after the changes take effect means that you have read their content.

Working draft. This document is a draft intended for internal legal approval and may change before publication. The effective date will be indicated after the final content is approved. For data protection matters, please contact us: kontakt@ridoa.house.