Privacy Policy
1. Who we are
Pilsmaatje is a personal project developed and operated by Mart Borghuis, based in the Netherlands.
- Contact: info@pilsmaatje.nl
- Website: pilsmaatje.nl
For any questions about this Privacy Policy or how we handle your personal data, please contact us at the email address above. This is also the contact point for all privacy-related requests.
2. What this policy covers
This Privacy Policy explains what personal data Pilsmaatje collects, why we collect it, how we use and protect it, and what rights you have. It applies to the Pilsmaatje mobile application (iOS and Android) and the Pilsmaatje web application at app.pilsmaatje.nl.
3. Personal data we collect
3.1 Account data
When you register, we collect:
| Data | Purpose |
|---|---|
| Email address | Account creation, authentication, and account recovery. |
| Display name | Identifying you to your friends within the app. |
3.2 Check-in data
When you create a check-in, we may collect:
| Data | Purpose |
|---|---|
| Item selection | Recording what you are having (e.g. beer, pizza). |
| Photo | An optional photo you choose to attach. Stored as a JPEG image. |
| Location (GPS) | Optional location attached to the check-in, only collected with your explicit permission through the operating system's permission prompt. |
| Location label | A human-readable place name derived from your coordinates (reverse geocoding). |
| Timestamp | When the check-in was created. |
Check-in data automatically expires and is no longer actively displayed after approximately 10 minutes.
3.3 Social and friendship data
| Data | Purpose |
|---|---|
| Friend connections | We store which users are friends to show relevant check-ins. |
| Invite tokens | Temporary tokens created when you invite someone. These expire after 7 days and are deleted after use. |
3.4 Push notification data
| Data | Purpose |
|---|---|
| Device push token | A technical identifier provided by Apple (APNs) or Google (FCM) to deliver push notifications to your device. |
| Platform type | Whether you use iOS, Android, or web (to send the notification through the correct service). |
You can disable push notifications at any time through your device settings or browser settings.
3.5 Custom items
You can create custom food/drink labels for your check-ins. These labels are stored in your personal account.
3.6 Data we do NOT collect
- We do not collect your phone number, date of birth, or government ID.
- We do not access your contacts or address book.
- We do not use advertising identifiers or tracking pixels.
- We do not run analytics or tracking software.
- We do not sell or share your data with advertisers.
- We do not perform profiling or automated decision-making.
- We do not track your location in the background; location is only accessed at the moment you create a check-in, and only if you grant permission.
4. Legal bases for processing (GDPR Article 6)
Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:
| Legal basis | Applies to |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | Account creation, check-ins, friendships, invites — the core features you signed up to use. |
| Consent (Art. 6(1)(a)) | Location access, camera access, photo library access, and push notifications. You grant these through operating system permission prompts and can revoke them at any time. |
| Legitimate interest (Art. 6(1)(f)) | Security measures, preventing abuse, and ensuring the app functions correctly. |
5. How we use your data
We use your personal data exclusively to:
- Provide the app's core features — create and display check-ins, manage friendships, deliver invite flows.
- Send push notifications — notify your friends when you check in, and notify you when your friends check in.
- Display location on the map — show check-in locations to friends (only when you share your location).
- Maintain and improve the service — ensure technical stability and security.
We do not use your data for advertising, marketing emails, profiling, or any purpose unrelated to the app's functionality.
6. Who has access to your data
6.1 Within the app
- Your friends can see your check-ins (item, photo, location, and display name) while they are active.
- Any registered user can see your display name (for friend search/invite purposes).
- Only your friends can see your check-in details and location.
6.2 Third-party service providers (data processors)
We use the following third-party services to operate Pilsmaatje. These parties process data on our behalf and are contractually bound to protect your data:
| Provider | Service | Data processed | Location |
|---|---|---|---|
| Google LLC (Firebase) | Authentication, database, file storage, cloud functions, push messaging | Account data, check-ins, photos, push tokens | EU (europe-west1) |
| Google LLC (Google Maps) | Map display | Map tile requests (IP address) | EU/global |
| Apple Inc. (APNs) | Push notification delivery (iOS) | Device push token, notification content | USA |
| Google LLC (FCM) | Push notification delivery (Android/web) | Device push token, notification content | EU/global |
| Expo / EAS (820 Inc.) | App build and update infrastructure | App bundle metadata (no user data) | USA |
6.3 International data transfers
Our primary data storage is in the EU (Firebase region europe-west1). Some sub-processors (Apple, Google, Expo) may process limited data in the United States. These transfers are safeguarded by:
- EU Standard Contractual Clauses (SCCs) adopted by these providers.
- The EU–US Data Privacy Framework where applicable.
6.4 No other sharing
We do not sell, rent, or otherwise share your personal data with any other third parties.
7. Data retention
| Data | Retention |
|---|---|
| Account data | Retained until you delete your account. |
| Check-ins | Automatically expire approximately 10 minutes after creation. Expired check-ins may be retained in the database but are no longer displayed. |
| Photos | Stored as long as the associated check-in exists. |
| Invite tokens | Expire after 7 days and are deleted upon use. |
| Push tokens | Updated on each login; old tokens are overwritten. |
| Friendship data | Retained until either party removes the friendship or deletes their account. |
| Custom items | Retained until you delete them or delete your account. |
8. Your rights under the GDPR
As a resident of the European Economic Area (EEA), you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"). |
| Restriction (Art. 18) | Request that we limit how we process your data. |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Objection (Art. 21) | Object to processing based on legitimate interest. |
| Withdraw consent (Art. 7(3)) | Withdraw previously given consent at any time (e.g. revoke location or notification permissions). |
How to exercise your rights
- Account deletion: You can delete your account directly within the app via Settings > Delete Account. This removes your account data, check-ins, friendships, and stored photos.
- Other requests: Email info@pilsmaatje.nl. We will respond within 30 days.
- Complaints: If you believe we have not handled your request properly, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl.
9. Security
We take reasonable technical and organisational measures to protect your personal data, including:
- All data in transit is encrypted using TLS/HTTPS.
- Data at rest in Firebase is encrypted by default.
- Authentication is handled by Firebase Auth with secure password hashing.
- Firestore Security Rules restrict data access (e.g. only friends can view your check-ins).
- Push notification tokens are stored per-user and not shared.
No system is 100% secure. If you discover a security vulnerability, please report it to info@pilsmaatje.nl.
10. Children's privacy
Pilsmaatje is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete that data promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the app or by other appropriate means. The "Last updated" date at the top of this page reflects the most recent revision.
We encourage you to review this policy periodically.
12. Contact
For any questions, requests, or concerns regarding this Privacy Policy or your personal data:
Mart Borghuis
Email: info@pilsmaatje.nl
Website: pilsmaatje.nl