InfoNominal d.o.o. Company Privacy Policy

Last updated September 1st, 2025

Table of contents

• 1. Introduction and Definitions
• 2. Data Controller and Contact Information
• 3. Information We Collect
• 4. How We Use Your Information
• 5. Legal Bases for Processing (GDPR)
• 6. Data Sharing and Third Parties
• 7. Data Security
• 8. Your Privacy Rights
• 9. Data Retention
• 10. International Data Transfers
• 11. Children's Privacy
• 12. Third-Party Links and Services
• 13. Changes to This Privacy Policy
• 14. Platform-Specific Information
• 15. Your Choices and Controls
• 16. Supervisory Authority
• 17. Additional Information

1. Introduction and Definitions

Definitions

For the purpose of this Privacy Policy, the following terms shall have the following meanings:

• Personal Data: Any information relating to an identified or identifiable natural person ('data subject').
• Processing: Any operation performed on personal data, whether or not by automated means.
• Data Controller: InfoNominal d.o.o., which determines the purposes and means of processing personal data.
• Data Processor: A natural or legal person who processes personal data on behalf of the Controller.
• User: Any individual who uses our Apps or Services and is the subject of Personal Data.
• App(s): Refers collectively to all software applications developed and operated by InfoNominal d.o.o., including mobile applications for iOS and Android devices, and web applications accessed via browsers.
• Service: The InfoNominal d.o.o. application ecosystem, encompassing all mobile and web apps.
• Device: Any client or terminal equipment that can access our Apps or Services, such as a mobile phone, tablet, desktop computer, or laptop accessing via a web browser.

2. Data Controller and Contact Information

InfoNominal d.o.o.
Ulica Brune Bušića 36
10020 Zagreb
Croatia

Contact Information:

• Email: hi@infonominal.com
• Data Protection Officer: hi@infonominal.com
• Website: www.infonominal.com

3. Information We Collect

3.1 Information You Provide Directly

When you use our Apps or Services, we collect information that you voluntarily provide:

• Account Information: Email address, name, password (stored as hash).
• User Content: User entries (e.g., journal entries, habits, notes, lists), including text, images, and metadata, and other content you create within our Apps or Services.
• Payment Information: Payment details processed by our payment provider (Paddle), such as billing address and transaction history.
• Profile Information: Profile settings, preferences, and customization choices.
• Support Communications: Messages and attachments when you contact our support team.
• Feedback: Ratings, reviews, bug reports and survey responses.

3.2 Information Collected Automatically

When you use our Apps or Services, we automatically collect:

• Device and Browser Information:
  • For mobile devices: Device model and manufacturer, operating system and version, unique device identifiers, mobile network information, screen resolution and device capabilities.
  • For web browsers: Browser type and version, operating system, IP address, screen resolution.
• App/Service Usage Data:
  • Features accessed and interaction patterns.
  • Session duration and frequency.
  • In-app/in-service navigation paths.
  • Performance metrics and crash reports.
  • Timestamps of activities.
• Location Information:
  • Approximate location (country and city level) from IP address.
  • Timezone information.
  • Language and regional settings.

3.3 Platform-Specific Data Collection

Specific data may be collected depending on the platform you are using:

• iOS-Specific:
  • Apple Push Notification service tokens.
  • iOS Keychain data for secure storage.
  • HealthKit data (only if explicitly enabled in the app).
  • iCloud sync status (if enabled for relevant apps).
  • App Tracking Transparency (ATT) status.
• Android-Specific:
  • Firebase Cloud Messaging tokens.
  • Google Play Services information.
  • Android Keystore data for secure storage.
  • Google Fit data (only if explicitly enabled in the app).
  • Google account sync status (if enabled for relevant apps).
• Web-Specific:
  • Browser local storage and session storage for persistent user settings, temporary data, and offline capabilities.
  • Cookies for session management and preference tracking (further details not in source, but implied by web platform).
  • Service worker registrations for web push notifications and offline asset caching (further details not in source, but implied by web platform).

3.4 Permissions We Request

Our Apps and Services may request the following permissions, which vary by platform and specific application:

• Essential Permissions (for both mobile and web):
  • Internet Access: To sync your data and access online features.
  • Network State: To determine connectivity status.
• Mobile App Specific Permissions (you can decline):
  • Storage: To cache data for offline use.
  • Notifications: To send reminders and updates.
  • Camera: To capture photos (if you choose).
  • Photo Library: To attach images to your content.
  • Biometric Authentication: For secure app access.
  • Calendar: To sync habits and reminders with your calendar.
• Web App Specific Permissions (requested via browser):
  • Notifications (for web push notifications).
  • Camera (if an app offers camera functionality via web browser).
  • Microphone (if an app offers voice input functionality).

4. How We Use Your Information

4.1 Primary Purposes

We use your information to:

• Provide Core Services: Enable specific functionalities like journaling, habit tracking, note-taking, and list management depending on the App.
• Account Management: Create and maintain your account, authenticate access.
• Data Synchronization: Sync your data across your devices (e.g., between mobile and web platforms).
• Offline Functionality: Enable app usage without an internet connection.
• Backup and Recovery: Protect your data from loss.

4.2 Service Improvement

• Analyze usage patterns to improve features.
• Fix bugs and technical issues.
• Optimize app performance and battery usage.
• Develop new features based on user needs.

4.3 Communications

• Send important service updates and security alerts.
• Provide customer support responses.
• Send optional notifications (with your consent):
  • Habit reminders.
  • Journal prompts.
  • Achievement celebrations.
  • Marketing communications (opt-in only).

4.4 Security and Legal

• Prevent fraud and unauthorized access.
• Monitor for security threats.
• Comply with legal obligations.
• Enforce our Terms of Service.

5. Legal Bases for Processing (GDPR)

We process your personal data based on the following legal grounds:

5.1 Contract Performance (Article 6(1)(b))

• Account creation and authentication.
• Providing core app/service functionality.
• Processing and storing your content.
• Data synchronization services.

5.2 Legitimate Interests (Article 6(1)(f))

• App/Service improvement and optimization.
• Bug fixing and error tracking.
• Security monitoring.
• Analytics for service enhancement.

5.3 Consent (Article 6(1)(a))

• Push notifications (mobile and web).
• Marketing communications.
• Optional features requiring permissions.
• Analytics and advertising (where applicable).

5.4 Legal Obligations (Article 6(1)(c))

• Tax and financial regulations.
• Responding to legal requests.
• Maintaining required security logs.

6. Data Sharing and Third Parties

6.1 Service Providers We Use

We share data with carefully selected service providers:

Infrastructure and Hosting:

• Amazon Web Services (AWS)
  • Purpose: Server hosting and data storage.
  • Location: US East (N. Virginia).
  • Safeguards: Standard Contractual Clauses.

Analytics and Monitoring:

• Google Analytics/Firebase Analytics
  • Purpose: Usage analytics and app/service optimization.
  • Location: EU and US.
  • Safeguards: Standard Contractual Clauses.
• Sentry
  • Purpose: Error tracking and crash reporting.
  • Location: EU.
  • Safeguards: GDPR compliance.

Communication Services:

• Brevo (formerly Sendinblue)
  • Purpose: Transactional emails and notifications.
  • Location: EU (France).
  • Infrastructure: AWS and OVH Cloud (EU).

Payment Processing:

• Paddle (Paddle.com Market Limited)
  • Purpose: Payment processing, subscriptions, tax compliance.
  • Location: UK and EU.
  • Role: Merchant of Record.
  • Data Retention: 7 years for tax compliance.

Platform-Specific Services:

• Apple Push Notification Service (for iOS apps).
• Firebase Cloud Messaging (for Android apps).
• App Store/Google Play (for mobile app distribution and updates).

6.2 Data We Do Not Share

• Sell your personal data to third parties.
• Share your user-generated content with third parties.
• Use your data for behavioral advertising.
• Share data with social media platforms without explicit consent.

6.3 Legal Disclosure

• Court orders or legal processes.
• Government authorities when legally obligated.
• Protection of our legal rights.
• Prevention of fraud or security threats.

7. Data Security

7.1 Technical Safeguards

• Encryption:
  • AES-256 encryption for data at rest.
  • TLS 1.3 for data in transit.
  • End-to-end encryption for premium users.
• Authentication:
  • Secure password hashing (bcrypt).
  • Biometric authentication support (for mobile apps).
  • Multi-factor authentication (optional for all services).
  • Secure token management.
• App/Service Security:
  • Certificate pinning for API communications (primarily mobile, but principles apply to some web APIs).
  • Jailbreak/root detection (mobile apps).
  • Anti-tampering measures (mobile apps).
  • Secure local storage (iOS Keychain/Android Keystore for mobile apps).
  • Web application firewalls (WAFs) and DDoS protection (for web platforms).
  • Content Security Policy (CSP) headers to mitigate cross-site scripting (XSS) (for web platforms).
  • Regular security scans and vulnerability assessments for all platforms.

7.2 Operational Security

• Regular security audits and assessments.
• Penetration testing.
• Employee access controls.
• Incident response procedures.
• Regular security updates.

7.3 Data Breach Response

In case of a data breach, we will:

• Notify affected users within 72 hours.
• Inform relevant supervisory authorities.
• Provide details about the breach and mitigation steps.
• Offer support and guidance to affected users.

8. Your Privacy Rights

8.1 Rights Under GDPR

You have the following rights:

• Right to Access: Obtain a copy of your personal data.
• Right to Rectification: Correct inaccurate information.
• Right to Erasure: Delete your account and data.
• Right to Restriction: Limit how we process your data.
• Right to Portability: Export your data in standard formats.
• Right to Object: Opt-out of certain processing.
• Right to Withdraw Consent: Change permissions anytime.

8.2 Rights Under CCPA (California Residents)

• Right to know what personal information is collected.
• Right to delete personal information.
• Right to opt-out of sale (we don't sell your data).
• Right to non-discrimination.

8.3 How to Exercise Your Rights

• In-App/In-Service Controls:
  • Access and edit your data in Settings.
  • Export your data (e.g., Settings > Data & Privacy).
  • Delete individual items or entire account.
  • Manage notification preferences.
  • Control app/browser permissions.
• Contact Us:
  • Email: hi@infonominal.com.
  • Response time: Within 30 days.

9. Data Retention

9.1 Retention Periods

• Active Account Data: Retained while account is active.
• Deleted Items: Removed immediately from active storage, purged from backups within 30 days.
• Closed Accounts: Data deleted 30 days after account closure.
• Technical Logs: 90 days.
• Analytics Data: 26 months.
• Support Communications: 2 years.
• Payment Records: 7 years (legal requirement).

9.2 Local Device/Browser Storage

• App Cache (Mobile): Cleared based on device settings.
• Offline Data (Mobile/Web): Synced and updated with server.
• Temporary Files (Mobile): Deleted after session ends.
• Secure Storage (Mobile): Cleared on app uninstall (e.g., iOS Keychain/Android Keystore).
• Browser Cache (Web): Cleared based on browser settings.
• Local Storage/Session Storage (Web): Managed by browser, can be cleared by user or expires.
• Cookies (Web): Expiry set by us, or cleared by user.

10. International Data Transfers

10.1 Data Location

• Primary servers: AWS US East (N. Virginia).
• Backup locations: AWS EU regions.
• CDN: Global distribution for performance.

10.2 Transfer Safeguards

When transferring data internationally, we use:

• Standard Contractual Clauses (SCCs).
• Adequacy decisions by regulatory authorities.
• EU-US Data Privacy Framework participants.
• Binding Corporate Rules (where applicable).

11. Children's Privacy

• Our Apps and Services are not intended for children under 13.
• We do not knowingly collect data from children under 13.
• If we discover we've collected data from a child under 13, we will delete it immediately.
• Parents can contact us at hi@infonominal.com with concerns.

12. Third-Party Links and Services

Our Apps and Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

• We'll update the "Last updated" date.
• We'll notify you through the App(s) or email for material changes.
• We'll provide a summary of key changes.
• Your continued use constitutes acceptance of changes.

14. Platform-Specific Information

14.1 iOS App Store

• App privacy labels are available on the App Store.
• We comply with Apple's privacy requirements.
• HealthKit data (if used by the app) is never shared with third parties.
• iCloud sync uses Apple's encryption.

14.2 Google Play Store

• Data safety section available on Google Play.
• We comply with Google Play's privacy requirements.
• Google Fit data (if used by the app) follows Google's privacy standards.
• Android Backup Service uses Google's encryption.

14.3 Web Platform Information

• Our web applications are designed to comply with general web standards and data protection regulations relevant to online services.
• We implement measures such as secure cookie handling and responsible use of browser storage.

15. Your Choices and Controls

15.1 Account Settings

You can control:

• Profile information.
• Email preferences.
• Notification settings.
• Privacy settings.
• Data export options.

15.2 Device and Browser Settings

You can manage:

• App permissions (mobile devices).
• Push notifications (mobile devices and web browsers).
• Background app refresh (mobile devices).
• Location services (mobile devices).
• Data usage (mobile devices).
• Browser settings (web platforms) for cookies, local storage, and site permissions.

15.3 Opt-Out Options

• Marketing emails: Unsubscribe link in emails.
• Push notifications: App settings or device settings (mobile), or browser settings (web).
• Analytics: Limited Ad Tracking (iOS) or Opt out of Ads Personalization (Android) (mobile), or browser privacy settings/extensions for web.
• Account deletion: Settings > Account > Delete Account.

16. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority:

Croatian Personal Data Protection Agency (AZOP)
Selska cesta 136
10000 Zagreb
Croatia
Website: www.azop.hr
For EU residents: Your local data protection authority.

17. Additional Information

17.1 Privacy by Design

We implement privacy by design principles:

• Data minimization.
• Purpose limitation.
• Privacy as the default setting.
• Transparency in data processing.
• User control over personal data.

17.2 Accessibility

This privacy policy is available in:

• In-app/in-service accessible format.
• Screen reader compatible version.
• Multiple languages (as available).

17.3 Questions and Feedback

We welcome your questions and feedback about our privacy practices:
Email: hi@infonominal.com
Response Time: Within 48 hours for general inquiries.
Privacy Requests: Processed within 30 days.

---

© 2025 InfoNominal d.o.o. All rights reserved.