GDPR (General Data Protection Regulation)
Updated: September 5, 2025
Scope and relation to other policies
This page explains how we comply with GDPR when processing personal data of users from the EU/EEA. It complements our Privacy Policy and Cookie Policy. In case of discrepancies, the Privacy Policy prevails.
Legal bases for processing
- Contract performance â providing the service (account, bar settings, saving configurations).
- Legitimate interest â ensuring security, preventing misuse, performance analytics in aggregated/ anonymized form.
- Consent â marketing communications and optional cookies (where consent is given).
- Legal obligation â compliance with legal requirements and official requests.
Processors, international transfers and SCC
We may engage infrastructure and analytics providers as data processors strictly under data processing agreements (Art. 28 GDPR) and only with the minimum necessary data. Where data is transferred outside the EEA, we implement appropriate safeguards, including Standard Contractual Clauses (SCC).
A list of current subprocessors can be obtained on request via Support or the email below.
Retention periods
We retain data only as long as necessary for processing purposes, after which we delete or anonymize it. Specific retention periods depend on the type of data (account, settings, event logs, billing, if applicable).
Data subject rights (Art. 12â23 GDPR)
- Access to your data and obtaining a copy.
- Rectification of inaccurate or incomplete data.
- Erasure (âright to be forgottenâ) in applicable cases.
- Restriction of processing and objection to certain processing types.
- Data portability in a structured, machine-readable format.
- Withdrawal of consent â if processing is based on consent (affects future processing only).
- Lodge a complaint with your supervisory authority if you believe processing violates GDPR.
How to submit a data request
You can submit a request for access/erasure/rectification by contacting us via Support or by emailing [email protected]. For security, we may require identity verification (email confirmation or another appropriate procedure).
We normally respond within 30 days, as required by Art. 12(3) GDPR. If the request is complex, this may be extended up to 60 days with notification of the reasons.
Security and incidents
We implement technical and organizational security measures (access controls, transport-level encryption, access logging). In case of a security incident that may pose a risk to your rights and freedoms, we will act in line with Art. 33â34 GDPR, notifying the supervisory authority and (if necessary) you.
Data Processing Addendum (DPA)
For customers using us as a processor, a standard Data Processing Addendum (DPA) is available. To obtain a copy or sign it, contact [email protected]. A version with SCC can be provided if required.
Changes to this section
We may periodically update this page to reflect changes in data processing practices or legal requirements. The current version is always available here, with the update date shown above.
Privacy contact
GDPR and privacy inquiries: [email protected]. You may also use the Support page.
