Menjalica — Privacy Policy

1. Who we are

Menjalica is a product of UX Platz DOO, registered in the Republic of Serbia under tax ID 112077057 ("UX Platz", "we", "us"). We operate the Menjalica app and related services and are the data controller for the personal data described below.

Company website: https://www.uxplatz.com

For privacy questions and GDPR rights requests: [email protected].

2. Data we collect

You provide directly: email address, username, password (stored as a salted hash, never plaintext), and optionally first name, last name, avatar, city, postal code, country, and shipping address. The content you generate inside the app — your sticker collection, reviews, chat messages, reports — is also covered.

We collect automatically: your IP address (used in-memory for rate-limiting and discarded shortly after), the push token of your device if you enable notifications, your last-active timestamp, and the swaps you participate in.

From third parties (only if you sign in via OAuth): Google, Apple, or Facebook share with us your email address, your name, and a profile-picture URL. We download that picture once at sign-up so it stays available when the provider's CDN rotates.

3. Legal bases for processing

We rely on the following bases under the EU General Data Protection Regulation:

- Contract (Art. 6(1)(b)) — for everything needed to operate the Service: your account, your collection, your swaps, the messages you exchange. - Legitimate interest (Art. 6(1)(f)) — for security, abuse prevention, and the public reputation history that makes peer-to-peer trading viable. - Consent (Art. 6(1)(a)) — for push notifications. You can withdraw it at any time. - Legal obligation (Art. 6(1)(c)) — where Serbian or applicable EU law requires us to retain or disclose data.

4. How we use your data

- To run the Service: match you with other collectors, show your profile to participants of your swaps, deliver messages, compute reviews. - To keep the Service safe: enforce rate limits, detect abuse, action reports. - To communicate with you: confirm your email at sign-up, support password reset, send transactional emails about your swaps and reviews. Push notifications only if you have enabled them. - To meet legal requirements where applicable.

5. Who sees what

Your username, city, swap count, and reviews are visible to other Menjalica users — that's the public reputation surface that makes the platform work.

Your email and shipping address are not visible to anyone else by default. Your shipping address is shared only with the counterparty of an accepted swap, and only after you explicitly choose "Share address" inside that swap.

6. Processors and third parties

We use the following processors. They process data only on our instructions and under contracts that satisfy GDPR Art. 28:

- OAuth sign-in (Google, Apple, Facebook) — only when you choose to sign in with their service. - Email delivery — a transactional email provider sends verification, password-reset, and swap-related notifications. - Push notifications — Firebase Cloud Messaging delivers notifications to your device. - Hosting — our application servers, database, and image storage are hosted by a cloud provider in the European Economic Area. Specific provider details are available on request.

We do not sell your personal data, and we do not share it for advertising.

7. International transfers

Where one of our processors operates outside the European Economic Area (e.g. Google for FCM and OAuth), the transfer relies on Standard Contractual Clauses approved by the European Commission, or on the EU–US Data Privacy Framework where the recipient is certified.

8. How long we keep data

- Account data — for the life of your account. - Email-verification tokens — 7 days; password-reset tokens — 1 hour. Then deleted. - Notifications in your inbox — read items 30 days, unread 90 days, capped at the 500 most recent. - IP addresses for rate-limiting — in memory only, cleared on process restart. - After you delete your account: email, name, avatar, address, push token, and password hash are removed immediately. Your username and the public history of completed swaps and reviews are retained because they form part of other users' trust context. The soft-deleted user row is kept indefinitely so the username cannot be re-registered to impersonate you.

9. Your rights

Under GDPR you have the right to:

- Access — Profile → Settings → Download my data produces a JSON export of everything we hold about you. - Rectify — Profile → Edit profile. - Erase — Profile → Settings → Delete account. - Restrict or object to processing in specific circumstances. - Portability — the JSON export is machine-readable. - Withdraw consent for push notifications at any time. - Lodge a complaint with your supervisory authority. In Serbia: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti.

To exercise any of these rights, write to [email protected]. We respond within 30 days.

10. Cookies and local storage

We do not use advertising cookies or third-party trackers. The app stores authentication tokens on your device or browser so that you stay signed in. The web build also stores your language and text-size preferences in localStorage. None of this is shared with third parties.

11. Security

We protect your data with reasonable technical and organisational measures: HTTPS in production, bcrypt for password hashes, restricted database access, separate environments for development and production, and routine dependency updates. No system is perfectly secure; if we ever experience a personal-data breach with material risk, we will tell affected users and the relevant authority without undue delay.

12. Children

The Service is intended for users 13 years of age and older. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and discover that your child has registered, write to [email protected] and we will delete the account.

13. Changes to this Policy

We may update this Privacy Policy. Material changes will be announced inside the app and, where appropriate, by email at least 14 days before they take effect.

14. Contact

Questions, requests, or complaints: [email protected].