Privacy Policy

This Privacy Policy describes how the application operated by Solvity s.r.o. processes personal data. The service requires user identification to function, and all core features depend on stored information. The statements below explain what is collected, why it is collected, how long it is kept, who can access it, and what rights apply under EU law.

1. Data Controller
Solvity s.r.o.
Bulharská 718/33
Praha 10, 10100
Czech Republic

Contact: support@ubiboard.io.

The company determines the purposes and means of processing for all data handled by the application.

2. Data Collected
Users provide an email address, name, and optionally a birthdate. The email functions as the login identifier and is required for account creation. Stripe billing requires the billing address and the customer ID; only those parameters are stored on the app’s backend. All card data remains within Stripe’s environment and never passes through Solvity systems. Users and communities may upload documents, images, codes, contacts, and other materials. These are stored in Firebase Storage and Firestore. The platform imposes no restrictions on content types; therefore the uploader controls the nature and sensitivity of what appears in the system. Automatic collection occurs through Firebase Analytics and Crashlytics: device metadata, technical events, crash traces, session-related operational information. This data is used to maintain stability and diagnose faults. It is not linked to specific user identities. Push-notification tokens are stored to enable messaging. No location data is collected.

3. Purpose of Processing
User data is processed to create and maintain accounts, authenticate access, manage community membership, store community resources, and enable communication features. Billing data is processed to create and maintain subscriptions, compute entitlements, and maintain compliant accounting records. Automatically collected data is used to detect system failures, measure technical performance, and maintain security. These purposes are essential for operating the service and delivering its functions.

4. Legal Bases Under GDPR
Contract: account creation, authentication, community participation, subscription operation, and storage of uploaded content rely on this basis. Legitimate interests: security controls, diagnostics, analytics, and crash reporting rely on this basis because they are required to maintain a functional and safe service. Legal obligation: retention of business invoices and accounting records. Consent by action: accessing the service and logging in signals acceptance of the Terms and this Policy.

5. Processors and Infrastructure
The application uses Firebase Authentication, Firestore, Storage, Hosting, Messaging, Analytics, Crashlytics, AppCheck, and Cloud Functions. All are configured with EU data residency (Firestore eur3, Functions eur1, and equivalent regions for other services). Auth0 Universal Login is used to authenticate users and is configured for EU operation. Stripe handles subscription payments and customer records within EU regions. All communication occurs over HTTPS.

6. Visibility of Data
Within a community, user names and all published resources are visible to all members. Administrators can see unit and membership assignments for the entire community; non-admin users see only data tied to their own unit. Messages exchanged in chat are visible solely to the participants of that chat. Outside the community, data is shared only with Stripe, Firebase, and Auth0 as required to maintain authentication, billing, and platform stability. Authorities receive data only when legally mandated. No data is sold.

7. User-Generated Content and Responsibility
The platform does not screen or classify uploaded files. Users may upload any type of content, including personal data concerning third parties, and assume full responsibility for legality and appropriateness. Administrators control membership and permissions; if an administrator grants access to an unintended person, the resulting exposure is attributable to administrator action, not to Solvity. Any illegal activity conducted through the service leads to immediate suspension and referral to relevant authorities.

8. Retention
Users and communities may delete their accounts or groups through the app. Deletion is immediate, with a possible residual period of up to 30 days to allow recovery from unintended actions. User-visible invoices are deleted with the account. Business accounting records remain stored for legally required durations. Firestore backups persist for up to one month. Storage files are removed upon community deletion. Analytics and diagnostic data follow Google’s default retention policy, which uses aggregated and anonymized formats. Auth0 and Cloud Functions logs follow their respective default retention schedules.

9. User Rights
Users have the right to access, correct, delete, restrict, or export their personal data. The application interface allows modification and deletion of user information. Additional GDPR requests may be sent to support@ubiboard.io.

10. Children
The service is not designed for minors. No age verification exists. No processing targets minors specifically.

11. Security Measures
All data transmitted uses HTTPS encryption. Firebase and Auth0 enforce strict access rules. Only minimal privileges are granted to backend components. If a breach is detected, affected users will be notified without delay.

12. Automated Decision-Making
Subscription enforcement operates automatically through Stripe. When payments fail, access to subscription features is revoked without manual intervention. No other automated processing produces legal or comparable effects.

13. International Transfers
All systems are configured for EU data residency. No intentional data transfers to locations outside the EEA occur. If a processor performs ancillary processing outside the EEA, it relies on standard contractual and regulatory safeguards.

14. Cookies and Tracking
The web version uses analytics and diagnostic tracking. These operate under legitimate interests to maintain service reliability. The service does not use advertising cookies or cross-site tracking tools.

15. Policy Changes
This Policy may be updated. Continued use of the service after publication of an update places the updated version in effect.